Watch an on-demand demo video of EDR in action
Prefer a one-on-one demo? Click here
By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners
Catastrophic security breaches start as alerts, which roll out into security incidents. If you catch an incident on time and respond to it correctly, you can save the enormous damages and clean up efforts involved in a breach. Not all breaches are preventable, but a robust, tested and repeatable incident response process will reduce damage and costs in almost all cases.
In this article:
An incident response plan is a practical procedure that security teams and other relevant employees follow when a security incident occurs. It is critical to enable a timely response to an incident, mitigating the attack while properly coordinating the effort with all affected parties.
Some organizations have a dedicated incident response team, while others have employees on standby who form an ad-hoc incident response unit when the need arises. Other organizations outsource incident response to security organizations—for example, Cynet provides a managed incident response service based on our holistic security platform.
There are two primary frameworks you can use to plan and execute an incident response process, created by NIST, a US government standards body, and SANS, a non-profit security research organization. They are summarized below:
NIST Incident Response Process | SANS Incident Response Process |
---|---|
1. Preparation | 1. Preparation |
2. Detection and Analysis | 2. Identification |
3. Containment, Eradication, and Recovery | 3. Containment |
4. Post-Incident Activity | 4. Recovery |
5. Recovery | |
6. Lessons Learned |
Read our in-depth posts on the NIST Incident Response and SANS Incident Response frameworks.
When building your incident response plan, it is much easier to start with a template, remove parts that are less relevant for your organization, and fill in your details and processes. Below are several templates you can download for free, which can give you a head start.
Created by: Cynet
Pages: 16
Main sections:
Created by: International Legal Technology Association
Pages: 5
Main sections:
Created by: Thycotic
Pages: 19
Main sections:
Get .DOC file (requires registration)
Created by: Sysnet
Pages: 11
Main sections:
Get .DOC file (requires registration)
Created by: California Government Department of Technology
Pages: 4
Contents: 17-step incident response procedure, referencing more detailed plans for specific incident types such as malware, system failure, active intrusion attempt.
Created by: I-Sight
Pages: 6
Main sections:
Get .DOC file (requires registration)
Incident response templates and procedures are crucial, but they are not enough. In most organizations there is a critical shortage of security staff. It is impossible to review all alerts, not to mention investigate and respond to all security incidents. Statistics show that the average time to identify and remediate a breach is over 100 days.
To help address this problem, the security industry is developing tools to perform automated incident response. An automated tool can detect a security condition, and automatically execute an incident response playbook that can contain and mitigate the incident. For example, upon detecting traffic from the network to an unknown external IP, an incident playbook runs, adding a security rule to the firewall and blocking the traffic until further investigation.
By supplementing manual incident response with automated playbooks, organizations can reduce the burden on security teams, and respond to many more security incidents, faster and more effectively.
Cynet provides a holistic solution for cybersecurity, including Cynet Response Orchestration, which can automate your incident response. You define automated incident response playbooks, with pre-built remediation procedures for multiple attack scenarios. When an attack scenario occurs, the relevant playbook is automatically executed. Only if there is no matching playbook, the incident is pushed to the security team for a manual response.
Cynet Response Orchestration can address any threat that involves infected endpoints, malicious processes or files, attacker-controlled network traffic, or compromised user accounts.
Learn more about Cynet Response Orchestration.