Authored by Sunil Sharma, Managing Director, Sales, India & SAARC, Sophos
It’s Friday night and you’re looking forward to a relaxing weekend. You’re just getting ready for bed and that luxurious Saturday morning sleep in when your mobile phone pings. It’s a frantic message from your IT manager – your company has been hit with a ransomware attack. There is more at stake now than a wrecked weekend and the decisions you take in the seconds, minutes and hours immediately following the attack will have long-term operational and regulatory effects that can impact your bottom line and business reputation.
When you consider that according to the Sophos State of Ransomware in 2021 report, 78% of Indian organizations were hit by ransomware in 2021, the chances of being hit by a cyber attack is not a case of if but when.
As cyberattacks are becoming more common and evolved in their complexity, many enterprises are leveraging cybersecurity as a service (CSaaS) – a security model where outsourced specialists provide on-demand security solutions. By leveraging such services, organisations can ensure 24/7 threat hunting, detection and response capabilities through managed detection and response (MDR), which is a key feature of CSaaS.
However, MDR is only a part of the solution. To fully benefit from CSaaS models, organisations need to have a detailed incident response plan in place. With the help of MDR and holistic response planning, organisations can build a complete security operation that protects them against ever-intensifying threats.
MDR: The Cornerstone of Incident Response Planning
Many active attacks tend to become overwhelming very quickly. In a stressful situation it can be difficult to calmly manage vendors, stakeholders, and deployment tools effectively. Adding to the mayhem, not having an incident response plan, makes it challenging for leaders to understand the severity of an attack and align their roles and responsibilities throughout the remediation process.
On the other hand, having a proactive response plan allows internal teams to examine various response protocols with the help of rigorous mock situations and tabletop exercises. Further, it also helps organisations to strengthen their responses throughout the plan’s development lifecycle and to identify issues with existing processes.
At the same time, setting up proactive systems, allows stakeholders to build internal alignment and formulate the integration of outsourced MDR. MDR, which is powered by human-led threat hunting at scale, ensures that the organisation is safe from incidents that occur. Even in the worst-case scenario, if an incident takes place, MDR helps reduce the negative impacts.
Throughout the entire incident process, from initial threat detection, containment, and neutralisation to the removal of adversaries from the network, internal stakeholders, MSPs, and MDR partners must collaborate to weigh business implications and then determine their next steps. This is why a holistic incident response plan is so important to ensure that every stakeholder understands their role in the remediation process.
To achieve robust internal alignment and streamlined collaboration here are five key steps to developing a thorough response plan:
1) Stay agile – It is important to keep in mind that some components of incident response plans will require a flexible approach. Even with a solid plan in place, organisations need to be able to adapt to new threat evolutions and to modify their incident response plan accordingly.
2) Prioritize cross-team collaboration – All areas of an organisation are affected by a cyberattack. Therefore, it is important to ensure all teams – including finance, legal, marketing, PR and IT – are involved in the decision-making process and risk assessment.
3) Maintain good IT environment hygiene – A robust IT environment reduces the risk of incidents occurring. Hence, it is important to keep a regular check on security controls to help resolve unpatched vulnerabilities, such as open remote desktop protocol (RDP) ports.
4) Keep a hard copy of incident response plans – Ensure you have a physical copy of your incident response plan on hand. If a company is ever attacked, digital copies of the strategy may be among the files encrypted.
5) Leverage MDR specialists with incident response experience – Even the most experienced internal security team can benefit from an MDR operations team with extensive industry knowledge and experience dealing with active attacks. These service providers are well educated about the specific threats that are lurking and know how to respond quickly and efficiently.