Effective Incident Response (IR) always involves the IT security professionals who know their business and cybersecurity posture best. But whose job is it to actually respond to incidents, and what are the best practices?
First, let’s define “response”
“Incident Response” is an ambiguous term that cybersecurity vendors and IT pros use loosely and sometimes end up speaking past each other. It’s important to remember that “response” comes in multiple stages. When it comes to cybersecurity monitoring, the Department of Homeland Security mantra of “See Something? Say Something!” applies. So, first off, make sure you can SEE more threats with wide attack surface coverage, deep threat intelligence, and smart incident correlation.
With effective Detection in place, Incident Response is the "Say Something" part; and we'd add "Do Something." Technically speaking, this consists of:
These are what we consider the three stages of Incident Response.
Who owns “Response?”
As you can probably see, not ONE party can effectively own everything involved in response. The hard truth is, the organization impacted is ultimately held accountable, and there is no outsourcing that fact. However, your trusted cybersecurity partner should work with you to create an Incident Response playbook to determine swim lanes of responsibility.
Beyond that, let’s face the fact that it takes a village to respond, and identify who is best to do which role in IR. In our shared security model, we propose that the 24x7 Managed Extended Detection & Response (MXDR) provider be responsible for monitoring, aka “See Something,” as well as for the initial response - “Say Something”…and even some of the “Do Something.” The capabilities of MXDR help to identify threats sooner with always-on monitoring, proactive threat hunting, and automated and guided remediation paired with wide attack surface coverage. The organization’s IT team (or MSP if IT is outsourced) should be responsible for further action, hands-on system changes and updating policies to prevent further occurrences.
Best Practices
Once you’ve determined the swimlanes in your IR playbook, here are some best practices we recommend.
1. Enlist 24/7 Managed Detection & Response Professionals
Managed security providers like Netsurion learn your environment, monitor it closely, and offer guided threat response. Consider a combination of skilled security analysts and an open XDR platform to accelerate and optimize your IR response rates. Furthermore, enlist partners for hands-on Digital Forensics and Incident Response (DFIR) should a breach occur.
2. Leverage Automated Incident Response as a Force Multiplier
Automated response capabilities use workflows to take immediate triage actions, automate remedial tasks, and orchestrate activity between multiple systems. For example, an automated response workflow could include:
3. Share the Load
By working with a dedicated Managed XDR partner who guides you through defining your SecOps runbook and Incident Response playbook, you can free up your team to work on other projects while being ready to respond to cybersecurity incidents quickly and efficiently.
How can Netsurion help?
Netsurion offers both automated response by our Open XDR platform and guided remediation by our 24x7 SOC. Our SOC experts work with you to create a more efficient response that uses less of your organization’s resources. Learn more about Netsurion Incident Response and check out “Four Key Steps to Rapid Incidence Response.”
Reach out to us to learn more about how we can help manage your Incident Response.
Subscribe to Lumifi's Daily Cybersecurity News Curated by a CISO
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.