Incident Response Definition 

What is incident response?   

Incident response encompasses the people, processes, and technologies that an organization uses to mitigate damage in the event of a cybersecurity incident. An incident refers to any negative security event that affects an organization's devices, servers, or systems, and can include everything from an employee clicking on a link in a phishing email to a full-fledged distributed denial-of-service (DDoS) attack 

To facilitate effective incident response, it’s essential that every organization have an incident response plan in place with repeatable procedures and a carefully defined approach in handling a security event from discovery to recovery. For managed service providers (MSPs), efficient incident response is only possible if the organization has taken the time to fully examine and document their IT assets, security architecture, and service dependencies.  

Because even the best laid plans can go askew, an organization’s incident response capabilities should be flexible enough to account for the unexpected within each phase. Inspired by the National Institute of Standards and Technology (NIST), here are six areas of we recommend your organization consider across the incident response lifecycle:  

Preparation  

This involves establishing security policies and installing the right capabilities so that you can identify the start of an incident and begin to recover ASAP. Part of preparation also includes training your staff in the tools, investigative techniques, and business processes required for their role and responsibilities. 

Identification  

In this stage the focus is on pinpointing the actual incident and determining whether your systems and data have been breached. A security information and event management (SIEM) solution or endpoint detection and response (EDR) solution are useful technologies for identifying and analyzing indicators of irregular activity within your environment.  

Containment   

You must act quickly to contain confirmed threats, including steps to minimize identified damage or exploitation in order to limit any possible spread to other networks and hosts within your environment and to those of your customers. Collecting and preserving evidence, blocking firewall ports, logging access, isolating, and patching systems may play a large part of your containment phase.  

Eradication  

After the containment phase, you will often have to take further efforts to completely remove the underlying components of the incident and to address any vulnerabilities exposed during the incident. Similar to containment, eradication involves a sufficient period of monitoring to ensure the security and integrity of your systems and to verify that the root cause of the incident has been fully stopped and removed.  

Recovery 

In this phase, your business must focus on restoring and returning any compromised hosts, applications, or networks back to normal operations. As part of your incident response plan, your organization should have a business continuity and disaster recovery (BCDR) plan in place to detail the actions needed to rebuild infected systems, replace compromised files, reset passwords, patch systems, and secure network perimeters.  

Takeaways   

A crucial (but often overlooked) part of incident response is to document, communicate and build upon lessons learned. This phase provides an opportunity for your key stakeholders and staff to collaborate and discuss the overall experience in order to better respond to any future incidents that may occur. The threat landscape is constantly evolving, so you should also look for ways to regularly use cybersecurity research to inform your incident response capabilities.  

The MSP role in incident response  

As MSPs continue to play a bigger role in providing cybersecurity protection for companies, it’s important to learn how you can help improve your clients’ security through offerings and services related to incident response.  

24/7 threat monitoring and response 

Because cyber attacks can occur at any time, your business and its clients need rapid, continuous threat detection and response capabilities. Enter: the security operations center (SOC). A SOC is a 24/7 team of experts who proactively hunt for, triage, and respond to cyber threats in real time.  

The unfortunate reality is that most organizations don’t have the resources required to build out a full internal SOC, which costs an average of $2.86 million annually to staff in house. To overcome cost as a barrier to entry, MSPs can work with a SOC provider to serve as an extension of your in-house security team — even if you are the only member. What’s more, this gives you the ability to offer your clients SOC-as-a-Service solutions that can seamlessly scale as needed 

Threat intelligence  

As mentioned above, it can be incredibly beneficial to use the latest cybersecurity research to inform and enhance your incident response capabilities. Creating or working with a threat research team (aka threat intelligence team) can help MSPs to stay on top of emerging security threats and provide best-in-class guidance to their customers. There are many options available here depending upon your industry.  Consider researching an information sharing and analysis community (ISAC) or organization (ISAO) for specific industry threat intelligence. 

Because the goal of cyber threat intelligence is to benefit the information security community at large, many leading threat research teams provide their findings to the public via free, regularly updated data feeds 

Did you know?

69% percent of organizations say that their cybersecurity efforts emphasize incident response over proactive activities like threat hunting or utilizing threat intelligence. 

 The Cybersecurity Illusion Report from Ponemon Research 

Additional resources

blog icon How to Conduct an Effective Cybersecurity Analysis: A Guide for MSPs

Cybersecurity incidents are now impacting businesses of all sizes. Your customers are likely wondering how you can help them become more secure. From privacy program reviews to incident response plan development, here are six areas to focus on when conducting a cybersecurity analysis.

Blog post >>
toolbox icon ConnectWise Cybersecurity Starter Kit

Want to get started selling cybersecurity? We’ve put together a kit to help. Download the kit today for helpful resources that will transform your business from an MSP to an MSP+ model, including educational information for your SMB customers, templates, and more. 

Kit >>
work plan icon The SMB Cybersecurity Checklist

How secure are your SMB clients? Chances are, they may not fully understand their risks and exposures. Use this 30-item checklist to start the conversation around cybersecurity, help them understand the cybersecurity landscape, and assess their security postures.

Checklist >>
reporting icon Cybersecurity in an Era of Competing Priorities: The State of SMB Cybersecurity in 2021

SMBs are not immune from cybersecurity risks—quite the contrary. Our 2021 survey of 700 SMB decision makers uncovered interesting findings about how these businesses are thinking about cybersecurity, their spending plans, and what motivates them when it comes to security. 

Report >>
vulnerable assessment icon The Security Journey Self Assessment

Wondering where you stand in your cybersecurity journey? Take this assessment to understand how advanced your cybersecurity knowledge is and to identify areas where you can expand upon your understanding of key cybersecurity concepts and precautions.

Assessment >>
blog icon 3 steps to stop cyberattacks: prevention, detection, and reaction

Do you know all of the factors involved with cyber threat prevention, detection, and reaction? Many cybersecurity tactics and solutions include one or two of these, but do not provide full coverage. Dive into the different responsibilities and process requirements involved with each of these critical steps.

Blog post >>