Incident response (IR) is one of the key components of a strong cyber security program, but it does not work well when fragmented and disjointed. This is especially true in emerging remote and hybrid work environments, where security teams must track many more endpoint devices and deal with much greater complexities and threats than in the past.
Modern cybersecurity typically involves coordination among many different components, including processes, policies, tools, services, and people. Incident response must follow that same approach to effectively prevent or defend against compromises that may happen across the enterprise.
For that to happen, integration among the various IR components is vital. There can be no silos among different solutions and data sources when interaction and information sharing is necessary for good security.
A few examples:
Proper programming of alerts
A perimeter defense solution such as a firewall must be programmed to alert a forensic response system that something is happening and where it is happening, so that the IR team and tools can respond to the event appropriately.
The human element
There is also an important human element with integration. People who are working in a siloed IR environment and can’t get access to all the information they need are bound to experience stress. They must deal with the constant possibility of missing signals that could indicate a breach. At a time when many organizations face a growing skills gap in cybersecurity, alienating their existing staffs is not a good idea.
Automated orchestration
Exterro continues to work toward creating better integration. For example, in May 2022 the company announced the release of its upgraded FTK Connect digital forensic tool, adding powerful new automation, orchestration and integration capabilities to its platform.
FTK Connect automation enables organizations to streamline their IR or breach investigations, and law enforcement and public sector entities to accelerate forensic evidence processing and review in criminal cases.
If organizations’ forensic tools are not directly integrated with their cyber intrusion tools, they risk being unable to preserve the evidence needed to remediate attacks. FTK Connect supports IR requirements by combining new automation capabilities with Exterro’s FTK solutions in performing forensic investigations, IR workflows, and securing corporate assets.
The solution allows security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms to be automatically integrated with FTK forensic products, to instantly preserve evidence upon detection of an intrusion.
The stakes are high today for IR teams to perform at a high level and work quickly. The longer a breach is active within an organization, the greater the risk that the organization will suffer loss of data to attackers. That in turn can lead to significant financial losses, regulatory fines, damage to brand reputation and other ill effects.
Ties to CISA guidance
As noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) -- which in late 2021 released the Federal Cybersecurity Incident and Vulnerability Response Playbooks aimed at providing federal civilian agencies with a set of procedures to respond to vulnerabilities and incidents -- even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen.
“When computer security incidents occur, it is critical for an organization to have an effective means to manage and respond to them,” CISA said. “The speed with which an organization can recognize, analyze, prevent, and respond to an incident will limit the damage done and lower the cost of recovery.”
Effective integration will certainly help enable a quicker response to incidents.