The report, Practical Requirements for Responding to Cyberthreats with MDR, addressed one of the biggest questions facing companies of all sizes: “What is a cybersecurity automated incident response plan, and do you need one?”
Some surprising facts around cybersecurity and businesses’ ability to effectively plan a successful strategy include:
- 50% of midsize/large organizations expect a data security breach this year
- 52% have already seen an increase in security incidents since the start of the global pandemic
- 57% believe they do not have the staff to properly respond to cybersecurity incidents 24/7
Despite these surprising facts, only one-third see improving cybersecurity response as a strategic priority. So how do we rectify these conflicting statistics? There is no time to waste for any organization, of any size, to start planning for preventing and responding to cyber threats. The blunt reality is you either must be ready to respond quickly before an incident occurs to minimize its impact, or contain the damage to your systems, information, and reputation after one occurs.
With skilled IT talent in short supply, filling the knowledge gap won’t happen by simply hiring talent. You will need to allow months of training by experts before your team is fully functional. For mid-sized organizations, having your own security operations center (SOC) is also rare and expensive. Threat actors know this, which is why cybersecurity incidents and attacks frequently happen at night, weekends, and holidays, causing damage for days without anyone noticing.
If you are like most organizations, you may also feel unprepared for the inevitable — a devastating breach. Improving your strategic incident response plan and automating security tasks should be your top security objective because speed is of the essence. Having a plan and being prepared for security responses is one of the most cost-effective measures your enterprise can take.
What Is Automated Incident Response?
To combat cybersecurity incidents, rapid response is crucial and requires threat detection and response providers to be flexible and agile enough to meet the unique needs and requirements of each organization. An automated incident response program can provide this rapid response and in doing so, free up time and resources of already overburdened IT teams. By utilizing artificial intelligence and machine learning, automated incident response programs automate low-level, low-risk tasks, such as searching for malware, scanning traffic logs, and triaging security, leaving your human agents free to focus on high-level security issues.
Strategic Approach to Automated Response Maturity
When creating an automated incident response plan, it’s important to set expectations that an initiative as critical as this will not happen overnight. The best approach is to think strategically about what is most important and will have the biggest impact if implemented first. Proceeding with a phased approach will get you up to speed with the quickest return by targeting the highest-value assets first.
Automating responses should play an important part in your phased plan. However, it’s not a silver bullet nor is it necessary to automate everything. You must first ask what lies underneath that and does it really need to be automated? By targeting the most important elements that require automation and determining your optimal desired outcomes, you better plan for a rapid response to the most critical of assets.
To make it easier, group assets based on risk factors such as:
- Mission critical
- Internet facing
- Testing and development
- Cloud
After grouping assets and ordering from most important to least, focus on your phased plan approach based on a set strategy that aligns with your organization’s goals. Keeping flexibility in your plan can also aid in pivoting as needed over time as your priorities and capabilities change.
3 Phases of Planning
Strategic incident response can take three forms, depending on your needs, staffing, and capabilities:
- Manual
- Fully automated
- Human-guided automation
Many organizations incorrectly believe the goal of effective incident planning is fully automated responses then abandon that objective when they realize the difficulty in achieving it. Yes, your response capabilities should enable a systematic adoption of automation as a vital key to rapid response. However, it’s not an all or nothing endeavor. The best response is most likely a blend of approaches.
Figure 1. Each response approach ranks differently for speed and efficiency.
How do you then decide which approach is best for your organization?
Manual response
- Human intervention and action for all incidents
- For unknown or complex threats that require a methodical approach
- Resource intensive and difficult to scale
Fully automated
- No human intervention
- Effective for highly repetitive, time-intensive tasks and non-critical systems with well documented responses
- Provides fastest response
Human-guided automated response
- IT/security staff approve all actions to respond to threats
- Allows IT/security teams to become more comfortable with automation for rapid and efficient response
- Even fully automated incident responses, especially regarding critical assets, can require expertise, intuition, and decision-making abilities only a human possesses
Increased Response Maturity Benefits
The impact and benefits of rapid and efficient strategic response cannot be overstated:
- Free up resources to address other IT and security challenges
- Higher efficiency and scale
- Reduced operational costs
- Lower risks through improved security posture
- Retained customer trust
While it may be tempting for some organizations to build their own threat detection and response capabilities and SOCs, most will find that developing these capabilities and staffing for 24/7 operations is a significant, time-consuming, and costly challenge. Partnering with a managed detection and response (MDR) provider like Fortra’s Alert Logic can enable you to quickly realize these outcomes and achieve security at scale across an increasingly diverse IT ecosystem with the most robust MDR solutions in the industry. And with Alert Logic Intelligent Response, your organization will have a flexible, scalable and integrated approach to protect your entire IT estate.
