The cyber security industry today offers a wide variety of solutions aiming to mitigate attacks that are becoming more common and more sophisticated, making it increasingly difficult to detect, manage and respond to breaches as effectively and as efficiently as possible. But, the fact alone that there is no shortage of potential solutions out there to choose from, doesn’t make the challenge of having to deal with the overwhelmingly frequent and complex attacks less grueling. In fact, it can make the task that much more daunting, with the vast pool of tools and platforms available making it difficult for CISOs to decide which solutions to adopt, considering that there is rarely one that addresses all the different security elements required, as well as the specific organizational needs, such as affordability and ease of implementation and management.
With that in mind, it’s safe to say that a solution capable of covering as many angles of the cybersecurity spectrum as possible would serve well to organizations being faced with data breaches on a regular basis. It’s exactly that ability to cover multiple aspects of an organization’s cybersecurity defense that makes DFLabs’ IncMan stand out from the crowd, and one of the factors that helped it to achieve two highly coveted awards at the latest edition of the prestigious GSN Homeland Security Awards.
Holistic Approach to Incident Management and Response
The two platinum awards received by DFLabs were in the Best Continuous Monitoring & Mitigation, and Best Cyber Operational Risk Intelligence Solution categories, respectively. This highlights IncMan’s versatility and ability to save valuable time when responding to an incident and when helping to detect and prevent future attacks.
Computer Security Incident Response Teams (CSIRTs) can benefit immensely from features such as automated collection of threat intelligence, triage, threat containment, as well as processes that help make threat hunting and investigation more efficient. With these types of functionalities, platforms like IncMan help cut incident resolution times drastically and improve the effectiveness of CSIRTs, significantly increasing their incident handling capacity.
The above capabilities that IncMan boasts are in large part a result of the background in law enforcement and intelligence of the people who were involved in creating the platform. These experiences have allowed them to better understand the challenges security teams face when trying to resolve an incident and address their needs in terms of dealing with continuously increasing number of alerts, underlining the necessity of automating certain tasks and adopting an orchestrated approach to incident response. As the nature of cyber security attacks continues to evolve over time, so does the sophistication and capabilities of the platform to ensure organizations always remain one step ahead.
The typical cyber security incident response process is carried out in several stages, and mitigation activities are a significant part of that process, as they are meant to help eradicate an incident and prevent it from expanding. The Cybersecurity Framework, published by the National Institute of Standard and Technology (NIST) back in 2014, offers a separate section on mitigation as part of the broader incident response effort, advising companies on the immediate steps they are supposed to take following a cyber security event.
The NIST Framework section dedicated on mitigation includes the following steps: contain, reduce impact, eradicate, document. Going through all these steps can be time-consuming and can waste a significant amount of a company’s resources, which is why companies need to consider implementing a software solution that can help their cyber security teams save valuable time while performing these tasks. Incident response platforms with automation-and-orchestration capabilities are the ideal solution for every organization that’s required to mitigate cyber security incidents fast and effectively.
Automated Playbooks for Specific Types of Incidents
By using a cyber incident response platform, companies can take advantage of its numerous features relating to mitigation, such as automated playbooks, workflows, evidence tracking for forensic analysis, and reporting, to name a few.These platforms provide a set of workflows that apply to all different scenarios involving various types of cyber security events, including malware attacks, phishing incidents, or data breaches. The workflows help a company’s cyber security team analyse exactly what action to take depending on the type of attack. For instance, if your company faces a phishing attack, a workflow will guide your CSIRT through the containment process, with actions like checking the source-code of the phishing website and spreading the URL of the attack on all accessible web browsers.
These platforms provide a set of workflows that apply to all different scenarios involving various types of cyber security events, including malware attacks, phishing incidents, or data breaches. The workflows help a company’s cyber security team analyse exactly what action to take depending on the type of attack. For instance, if your company faces a phishing attack, a workflow will guide your CSIRT through the containment process, with actions like checking the source-code of the phishing website and spreading the URL of the attack on all accessible web browsers.When it comes to reducing the impact of an incident – related to a malware attack, for example – you can use an incident response platform’s playbooks to figure out how to configure servers and email clients to block emails providing suspicious files, after having identified them, or to block malicious code, and how to identify and isolate the host that has been recognized as a source of the infection.
Few Simple Steps to Eradicate and Document
As far as eradication is concerned, it’s also mostly associated with malware attacks, a highly effective solution is an automated incident response platform. It can help you identify all vulnerabilities and remove the malware fast from all affected hosts, while also allowing you to proceed to the final stage of the mitigation procedure – documentation of an incident. These types of platforms have the ability to preserve, secure and document digital evidence, to allow a proper forensic analysis that would help determine where the attack came from, how it was conducted, and how similar attacks can be prevented in the future.
In the upcoming months we will share details that outline our successful methodology “Supervised Active Intelligence”. We envision a world where your security team is empowered with all the information they need to make an intelligent, informed security decision based on coordinated information, intelligence and incident enrichment activities as early in the incident response life-cycle as possible.
We speak to a lot of Security Operations Center (SOC) personnel who want information in front of them before they start investigating. This is a part of human nature. We want as much information as we can get in order to make a decision. Too often we find that SOC teams spend most of their time digging around for information that is readily available in our Enrichment package within IncMan™
Conversely another problem we see is that businesses are drowning in technology. In fact, few know how many products they have at their disposal. This is something that’s not too uncommon, the purchase of more products leads to a false sense of security. We even see businesses use manual methods of cataloging and managing cyber/physical incidents by the use of Microsoft Excel
IncMan™ can leverage all of your endpoint/gateway malware analysis, intrusion detection/prevention and even intelligence services and put them in direct control with your Incident response. IncMan™ is able to leverage and directly interface within a single manageable interface. This will not only reduce up-skill for specific interfaces allowing less reliance on specialists, but allows your team to start the following chain of events:
• Enrich your team with all the required information to not only provide your immediate reaction teams with the information for decision makers, forensic coverage and reaction protocols
• Create your containment actions based on the products you have evaluated to meet a specific requirement in a company policy that aligns with best practice
• Mitigate the incident, providing evidence to legal entities, managed service providers and internal teams
• Re-mediate and action policy updates to your incident response, orchestrating your team as well as product solutions
• Feeding and influence knowledge bases, working with intelligence services and providing more information about what happened to your required services.
If you follow our standards and best practice, this will aid your GDPR readiness, HIPAA compliance, ISO 27001 and many more. Assuring for board members and management when a breach or other cyber events occur.
If you’re interested in seeing how we can work together to grow your incident response capabilities, visit us at https://www.DFLabs.com and schedule a demonstration of how we can utilize what you already have and make it better.