Incident Response Definition
What is incident response?
Incident response encompasses the people, processes, and technologies that an organization uses to mitigate damage in the event of a cybersecurity incident. An incident refers to any negative security event that affects an organization's devices, servers, or systems, and can include everything from an employee clicking on a link in a phishing email to a full-fledged distributed denial-of-service (DDoS) attack.
To facilitate effective incident response, it’s essential that every organization have an incident response plan in place with repeatable procedures and a carefully defined approach in handling a security event from discovery to recovery. For managed service providers (MSPs), efficient incident response is only possible if the organization has taken the time to fully examine and document their IT assets, security architecture, and service dependencies.
Because even the best laid plans can go askew, an organization’s incident response capabilities should be flexible enough to account for the unexpected within each phase. Inspired by the National Institute of Standards and Technology (NIST), here are six areas of we recommend your organization consider across the incident response lifecycle:
This involves establishing security policies and installing the right capabilities so that you can identify the start of an incident and begin to recover ASAP. Part of preparation also includes training your staff in the tools, investigative techniques, and business processes required for their role and responsibilities.
In this stage the focus is on pinpointing the actual incident and determining whether your systems and data have been breached. A security information and event management (SIEM) solution or endpoint detection and response (EDR) solution are useful technologies for identifying and analyzing indicators of irregular activity within your environment.
You must act quickly to contain confirmed threats, including steps to minimize identified damage or exploitation in order to limit any possible spread to other networks and hosts within your environment and to those of your customers. Collecting and preserving evidence, blocking firewall ports, logging access, isolating, and patching systems may play a large part of your containment phase.
After the containment phase, you will often have to take further efforts to completely remove the underlying components of the incident and to address any vulnerabilities exposed during the incident. Similar to containment, eradication involves a sufficient period of monitoring to ensure the security and integrity of your systems and to verify that the root cause of the incident has been fully stopped and removed.
In this phase, your business must focus on restoring and returning any compromised hosts, applications, or networks back to normal operations. As part of your incident response plan, your organization should have a business continuity and disaster recovery (BCDR) plan in place to detail the actions needed to rebuild infected systems, replace compromised files, reset passwords, patch systems, and secure network perimeters.
A crucial (but often overlooked) part of incident response is to document, communicate and build upon lessons learned. This phase provides an opportunity for your key stakeholders and staff to collaborate and discuss the overall experience in order to better respond to any future incidents that may occur. The threat landscape is constantly evolving, so you should also look for ways to regularly use cybersecurity research to inform your incident response capabilities.
The MSP role in incident response
As MSPs continue to play a bigger role in providing cybersecurity protection for companies, it’s important to learn how you can help improve your clients’ security through offerings and services related to incident response.
24/7 threat monitoring and response
Because cyber attacks can occur at any time, your business and its clients need rapid, continuous threat detection and response capabilities. Enter: the security operations center (SOC). A SOC is a 24/7 team of experts who proactively hunt for, triage, and respond to cyber threats in real time.
The unfortunate reality is that most organizations don’t have the resources required to build out a full internal SOC, which costs an average of $2.86 million annually to staff in house. To overcome cost as a barrier to entry, MSPs can work with a SOC provider to serve as an extension of your in-house security team — even if you are the only member. What’s more, this gives you the ability to offer your clients SOC-as-a-Service solutions that can seamlessly scale as needed
As mentioned above, it can be incredibly beneficial to use the latest cybersecurity research to inform and enhance your incident response capabilities. Creating or working with a threat research team (aka threat intelligence team) can help MSPs to stay on top of emerging security threats and provide best-in-class guidance to their customers. There are many options available here depending upon your industry. Consider researching an information sharing and analysis community (ISAC) or organization (ISAO) for specific industry threat intelligence.
Because the goal of cyber threat intelligence is to benefit the information security community at large, many leading threat research teams provide their findings to the public via free, regularly updated data feeds.
Did you know?
69% percent of organizations say that their cybersecurity efforts emphasize incident response over proactive activities like threat hunting or utilizing threat intelligence.
Why You Need an Incident Response Plan and How to Create One
A step-by-step plan can diminish the stress and chaos during an incident. In this webinar where we’ll provide you with an incident response checklist and walk you through the ins and outs of this procedure.
Introducing ConnectWise Incident Response Service
Most rash business decisions are made during high stress moments. In this webinar, discover how to prevent making costly moves with the help of the ConnectWise Incident Response Service.
Speak to One of Our Incident Response Experts
The ConnectWise Incident Response Service provides real-time management, guidance, and analysis to help MSPs investigate, remediate, and recover from a severe security incident.