Incident response (IR), like pretty much every other aspect of cyber security, needs to be adapted for the emerging remote and hybrid work models. This might involve a lot of work on the part of security teams and others, but it’s well worth the effort in terms of safeguarding valuable data resources in this new environment.
Here are 10 recommendations to help security leaders and teams reboot their IR processes, as covered in the recent SC Media eBook, Incident Response for a Remote World:
1. Work with colleagues in infrastructure and operations to gain a better understanding of where critical business data is located, what protections are in place for the data, and who has access to it. Teams should have playbooks available for the most common breach scenarios, and they should test those scenarios frequently through technical and executive tabletop exercises. Some security executives run these exercises on a quarterly basis at the technical level and twice a year with other senior executives.
2. Ensure endpoint devices are properly managed before granting them access to data. This is especially important given the widespread use of employee-owned devices to access company networks and data.
Monitor endpoint detection and response, authentication, and data access at the endpoint as well as cloud services. The security operations center should be capable of ingesting and correlating data to quickly alert the security team of any potentially malicious activity.
3. Implement tools and services that offer effective IR in a remote environment. Solutions are available that enable security teams to respond to incidents without the need for direct network connectivity.
They accomplish this by placing agents on client devices, so when an incident occurs the security team can connect with a particular device over the Internet and remediate the incident remotely. If a device is connected to the Internet, teams can perform IR using tools. This is particularly important because users might not have VPNs turned on while they’re working from home. These types of tools collect data from remote devices, eliminating the need to ship devices to the security team for analysis and fixes.
4. Enhance endpoint monitoring and control. Without the ability to use traditional on-premises network security controls for remote devices, IR
teams need more visibility into and control over end-user endpoints. Many security teams struggle to maintain visibility into increasingly complex and distributed IT environments. That’s because so much of an organization’s infrastructure is unknown or undiscovered due to cloud migration, shadow IT, third-party/supply chain activity and other factors. Cloud-based endpoint detection and response software and user behavioral analytics agents are vital for IR teams with large remote workforces.
5. Make it simpler for remote end users to report suspicious activities to the security team. Having users be proactive in the security effort is more important than because so many people are working off network rather than being connected to a trusted enterprise network. They can leverage technologies such as near real-time reporting mechanisms including chat interfaces to communicate with security operations teams.
6. Understand how the attack surface has grown and extend IR programs accordingly. Security organizations need to assess the changes in their threat landscapes and adjust their cyber security controls as needed, to address new or growing areas of risk.
7. Excel at communications, which is vital for effective IR in a remote environment. Communications must be addressed differently in a remote/hybrid work environment compared with a work model where most employees are in central offices. With some people working in various locations depending on the day of the week, ensuring that alerts and updates go out to the IR team and all other employees can be difficult—but necessary.
8. Focus on automation and education, which are key facets for securing organizations in hybrid/remote work environments. The shifting threat landscape is driving higher volumes of incidents, and because IR teams are not growing as quickly, teams need to automate responses wherever possible—as well as offer training programs for IT teams. Organizations should consider investing in security orchestration and automated response technology.
9. Include incident detection, response, and mitigation in these automation efforts. In many cases, organizations need these capabilities, especially given the shortage of cyber security skills. Indeed, the increased need for automation is a consequence of the skills gap.
10. Train employees to recognize and report suspicious activities. This includes educating remote workers about best practices for operating devices and networks, and how to look out for certain activities and avoid becoming victims of malware and phishing attacks. Effective training programs can help organizations build more proactive cyber security approaches, by keeping a step ahead of the bad actors.