“If you’re only relying on a firewall and antivirus you’re not going to have the ability to stop or respond to today’s threats.” – A great incident response investigator.
We’re not sure who said the quote above but it’s the truth. In today’s world threats are beyond what a firewall or antivirus can prevent or detect. Email is the number one way ransomware is spread. Why is it so detrimental to your security and compliance? Because firewalls and antivirus aren’t able to detect all of the versions out there; and that’s with staying up to date on all your definitions and firmware. If you fall under regulations such as HIPAA or GLBA you’re required to have an incident response plan. You’ll also have to have the systems in place to successfully execute that plan. In particular, HIPAA Compliance part 164.308 (A)(6) ‘Security Incident Response and Reporting’, one of the most critical HIPAA sections. If you can’t detect a threat how can you respond? Let’s take a look at 6 steps of what happens when you have a breach?
- Good preparation is key. Preparing a team for an incident when (not if) it happens is going to determine if you hit the ground running or trip and fall at the starting line.
- Identification is crucial. What is determined to be an incident by your definitions or regulation definitions? Is there any indicators we can act on now or can we ignore a low level alarm?
- Containment is strategic. Systems that have been compromised need to be isolated. But what are emergency access protocols and how to they come into play when you need to access data?
- Eradication is vital. Removing and eliminating threats to your systems and network is going to determine if your network is down for a few hours or a few weeks!
- Recovery is significant. How do you reintroduce systems into your production environment? By watching those systems with heightened priority monitoring.
- Lessons Learned is reflective. You need to write a comprehensive report for future incidents and hardening of your network. If you fall under regulations the enforcing authority is going to want to see your reports.
We know for past experience that attackers are inherently lazy. This means they go after the lowest hanging fruit possible. The higher you make the fruit the less likely someone’s going to want to put forth the effort to get to that fruit.
Do you have questions about what systems to put in place for a successful incident response plan? Take your first step with a consultation and we’ll walk you through what a successful incident response looks like for your network.
Important Roles in Incident Response
According to a recent study by SecurityWeek.com the average number of days that attackers were present on a victim's network before being discovered dropped to 146 days in 2015 from 205 days in 2014. A trend that shows positive improvement from 416 days back in 2012. Unfortunately, Blackthorn Secure responded to a recent breach at a medical facility that was undetected for more than 180 days. It's important to understand how response time can greatly reduce the amount of damage done in a breach.