Please configure

A stitch in time: Will your security incident plan save nine?

We’ve heard the names and read the stories1 – local banks, health providers, government agencies, logistics firms, and even cyber-security firms2 themselves, crippled and exposed by a tsunami of increasingly sophisticated cyber-attacks. In the year to last June, New Zealand’s National Cyber Security Centre3 recorded more than 350 incidents. Nearly a third of them involved indicators linked to state-sponsored computer network exploitation groups.

The problem will only get bigger. Data published by US-based global vulnerability intelligence firm Risk Based Security4 revealed that the number of records exposed in the US, alone, increased to a whopping 36 billion in 2020. Q3 recorded an additional 8.3 billion records to what was already the “worst year on record”.

The threat is clear; preparation – not so much

CIOs know what’s coming and they’re moving to stiffen their defences. IDC's recent survey of IT decision makers in the Asia/Pacific Enterprise IT and Business Services Sourcing Survey5 showed that 81% of New Zealand organisations are making further investment in managed security service providers to enhance their security.

That’s the kind of news everybody with a bank account and online health records likes to hear. But are too many organisations in this part of the world upping their security game from a position behind the eight ball? A survey conducted by the Government Communications Security Bureau (GCSB)6 showed that despite 73% of organisations increasing spending on cyber-security over the past, investment failed to translate into greater confidence in their cyber-security resilience.

What’s more, only 33% of organisations had fully identified their critical information assets and 52% reported that they had insufficient numbers of skilled staff to satisfy their perceived security requirements. A global survey7 published by IT service management giant OTRS Group revealed a similar theme, with only 42% of companies believing they were acceptably prepared for a security incident, with fewer than three in five (56%) feeling optimally prepared.

So much for planning.

Zero-trust models toughen defences, but they don’t provide all the answers

As companies recognise the inherent frailties of the castle-and-moat approach to IT security, zero-trust models are seen as the best answer to stop cyberattacks, especially the lateral movement of threats8 inside their networks.

However, as much as zero-trust architectures provide the visibility and IT controls to manage devices, users, apps, and access, they don’t provide all the answers.
Organisations must also understand how well their security performs against advanced attacks and, more broadly, how their business continuity and incident response plans stack up in the face of evolving threats.

And when the proverbial hits the fan, IT managers must be able to push a ‘panic button’ that sets in motion a planned sequence of events to isolate impacted devices and systems to contain and remediate cyber-attacks.

What’s the plan?

People are regarded as the weakest link in the security chain, with hackers preying on psychological flaws to open the doors to corporate data.

Training and education that encourages employees to embrace the idea that they are gatekeepers for corporate information is a good place to start.

But that still leaves the more troubling task of managing a coordinated response to security incidents.

Incident response plans provide a structure for incident responders, typically based on standards and recommendations provided by either The National Institute of Standards and Technology (NIST9) or SANS.10

The New Zealand government also provides an incident response framework11 covering similar bases.

Broad steps involve:

  • Preparation: identify critical assets, define types of security events, and create incident response steps
  • Identification and analysis: monitor IT systems, detect anomalies, precursors, and signs of impending attack to establish type and severity
  • Containment and eradication: immediately contain threats to slow spread. Longer-term containment should cover temporary fixes and rebuilding clean systems to recover normal operations
  • Post-incident recovery: conduct a retrospective to evaluate containment efforts and adjust incident response plans and procedures

More than simply boosting preparedness, a comprehensive incident response plan establishes repeatable process for future incidents, exposes gaps in security processes and tooling, preserves know-how and best practices, and produces clear documentation to reduce liability and demonstrate compliance.

Choose your weapon

Data collected from the likes of gateways, servers, applications, endpoints, and other elements of the broader IT network provide threat intelligence to steer an organisation’s incident response.

Successive generations of products play an increasing role in aggregating and analysing security events to put teams on the front foot and their plans into action.

These technologies fall into three broad categories: security information and event management (SIEM), security orchestration and response (SOAR), and extended detection and response (XDR) products.

See the broad functionality and pros and cons of each product category

A stitch in time

Few organisations aren’t fretting about security.

However, more than a few have significant gaps to close before they can trust their security model to keep pace with today’s sophisticated threats.

Building an incident response plan is a critical part of your overall security posture.

More than providing an orchestrated approach to cope with the unthinkable, incident planning encourages critical assessment to identify where money should be spent – and potential return on investment.

A stitch in time saves nine, you might say.

Spark’s cybersecurity practice is in the thick of the action, combining industry-beating technical capability and best-practise incident planning, response, and management to keep clients and their customers productive and safe.

Try our Virtual Security Manager service to build a plan to continuously improve your security posture. Learn how Spark’s Cyber Security Practice can help your business get on the front foot and ahead of cyber-criminals. Find out more about Managed Security

Contact us now and one of our experts will call you back

Please configure