- SOAR 101
Managing cyber security risks and threats effectively is about more than just having the right systems, plans, and protocols in place. It’s also about the people behind the operation who must manage these systems and make split-second decisions that could determine how quickly an incident can be contained and how much damage is caused. Cyber security incident response teams are the first line of defense in protecting an organization’s assets from harm; they’re also the experts who proactively monitor your assets on a daily basis and are constantly thinking about how to improve upon and strengthen your cyber security incident response plan (IRP). No two cyber security incident response teams will look exactly alike, as every organization is sized and structured differently, with different types of assets that are vulnerable to different types of threats. The size of an incident response team depends on the size and complexity of the organization; also, in many cases, some responsibilities are contracted out to third-party security consultants. The best incident response teams follow the best-practices approach outlined by the National Institute of Standards and Technology (NIST), which has created the gold standard for preparing and managing a cyber security IRP. Let’s explore the five essential traits that all NIST-compliant incident response teams have in common:
All members of the incident response team need to know exactly what they’re supposed to be doing and how their work fits into the global picture. Far too many preventable security incidents are caused by poorly trained team members who make mistakes or fail to communicate what they’ve done versus what they haven’t done. They improperly configure security devices, improperly monitor systems, and incorrectly interpret data. That’s why it’s so crucial that each team member is assigned one or more areas of responsibility, and knows exactly when and how to properly communicate vital information to fellow team members to provide comprehensive, continuous protection of assets.
Cyber security incident response teams do not perform their work in a vacuum. They need to be in constant communication with the administrators who are running the systems that the cyber security team is working to protect. Not only are system administrators responsible for the day-to-day operation of network environments, but system administrators also are most likely to make changes and other tweaks to the systems that could inadvertently affect the systems’ security. Thus, it’s important for cyber security teams to know what system administrators are doing before and as they do it and, conversely, for system administrators to know what the cyber security team is doing. Coordination and mutual trust are essential keys in helping to preserve the integrity and security of systems.
Incident response teams can only be effective if they know what they’re protecting and have the access necessary to protect them. Even systems that upper management may not feel are vulnerable to breaches—such as control systems found in manufacturing and other industrial settings—need to be proactively monitored and managed by the cyber security team. And as much as certain departments may want to restrict access to sensitive information or proprietary systems, there must be protocols developed that allow at least one member of the cyber security team full access; it’s the only way to truly protect an organization’s total network ecosystem. Finally, outside security consultants also need to be granted access; they cannot be effective at their jobs if they must parachute into every incident with little to no working knowledge of the systems.
Most cyber security threats can be contained without causing damage or loss of assets, but that does not mean that small, routine incidents should be ignored and dismissed as harmless. Some of the most sophisticated cyber security breaches today are caused by threats that start off as minor and are easily able to be stopped in their tracks; these hackers intentionally fly under the radar for as long as possible as they very slowly collect data and gradually infiltrate systems. One of the best ways to keep tabs of the hundreds, if not thousands, of these minor incidents is to track them in aggregate over time, making it possible to spot trends and unusual patterns that merit further evaluation. These potential risks can then be ranked and prioritized, ensuring a systematic approach to managing potential threats.
Modern IT systems are relatively secure; it’s the untrained and undiscerning end users whose sloppiness and ignorance compromise their built-in security features. From phishing to other social engineering scams, every user can fall victim to these tactics. Thus, the cyber security team should be focused on outreach and education using a variety of strategies, from posting internal warnings to enforcing mandatory password resets to offering training on emerging threats. One particularly powerful strategy is to stage a phishing scam and share the results of who fell for it, forcing users to wake up and fully appreciate their vulnerability to cyber attackers. A cyber security incident response team is made up of humans who sometimes make imperfect decisions. That’s why it’s so crucial to clearly define the team’s roles and responsibilities. It’s the best way to ensure that a team has a close working relationship with system administrators, is granted full access to all systems, takes every threat seriously, and is focused on outreach and education across the network ecosystem.
To learn how D3 can provide value to your organization, click on the button below to schedule a personalized demo.
Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.REGISTER NOW