Organizations today are now more vulnerable than ever to multiple types of cyberattacks, including malware, phishing and DDOS attacks. Essentially any type of threat or vulnerability that has the intent to destroy data and run destructive and intrusive applications to compromise the confidentiality, integrity and availability of a system running on the network infrastructure puts a company at risk.
Because of these heightened security vulnerabilities, security teams are inundated with alerts and information from a growing number of siloed point solutions. In parallel, attacks via both known and unknown vulnerabilities continuously target critical business services, IT infrastructure and users. These incidents and vulnerabilities lack business context, making it difficult to know which ones are posing the greatest threat to the organization. Furthermore, manual processes and cross-team hand-offs hinder the security team’s ability to efficiently respond to attacks or assess and remediate vulnerabilities.
Most organizations struggle to establish metrics for their security posture that they can use to establish a baseline and track performance over time. Without this data, they lack the ability to strengthen the infrastructure and improve their response. The result? Detection and response times that could potentially be measured in months and missed attacks that could lead to a serious breach or compromise.
The Importance of Threat Analysis and an Incident Response Plan
Threat analysis is a proactive way of looking for threats using internal or external threat intelligence information mining, reverse malware analysis and testing hypotheses based on risk. As threat analysis is a data-driven process, it’s critical to collect large amounts of data. The data can come from all layers of the Open Systems Interconnection (OSI) model in ServiceNow. A good place to start is logs from three major security data domains – networks, endpoints and applications.
Threat intelligence needs to be actionable — it needs to be timely and arrive in a format that can be understood by whoever is consuming it. Otherwise, your organization will be inundated with data that the analyst won’t know how to interpret or prioritize.
It’s crucial to implement a cybersecurity incident response plan. The steps below can help get you started on creating your own cybersecurity incident response plan.
Detection and Analysis
- Analyze logs and information security events
- Identify potential information security incidents
- Categorize incidents
- Validate incident scale and consequence
- Assign consequence, severity and priority rating
- Review and confirm ratings
- Endorse ratings
- Declaration and Escalation
- Based on priority, assemble SIRT and notify appropriate parties and escalate incidents. (i.e., critical and high-priority crisis and emergency incidents)
Response & Recovery
- Containment, Investigation and Forensics
- SIRT to develop incident response plan, activate rapid response team if required and communicate incident to internal and external stakeholders.
- Perform incident containment, investigation and root cause analysis, forensics and evidence management
- Eradicate technical vulnerabilities and incident root causes
- Recover affected information systems and business operations
- Post-Incident Activities
- Document lessons learned
- Close incident
- Create incident report
- Develop and implement improvement recommendations
Cybersecurity threats and vulnerabilities are increasing all over the world, and organizations are re-prioritizing and scaling their security posture and paying more attention to detail. Security incidents are difficult to manage, especially at the beginning of the incident. As with all organizations, the more you plan, exercise and investigate your response, the more efficient and effective it will become.
With the increasing possibility of a cybersecurity breach looming, having a remediation plan ready ahead of time allows an organization to analyze and remediate any threat, vulnerability or breach to minimize potential damage and ensure the security incident response and remediation is rapid and effective.
To learn more about the benefits of using ServiceNow to prioritize and resolve security incidents and vulnerabilities faster, read the Forrester Total Economic Impact Study of ServiceNow Security Operations here. And check out the Covestic Cybersecurity Best Practice Guide to Effective Communication and Collaboration to Prepare for a Security Breach eBook here.
About the Author
Chris Williams, Security Solution Architect, Security Operations, Covestic
With more than 20 years of applied expertise in Security Operations, IT Operations, Product Development and Support, Chris assesses, designs and deploys ServiceNow platform elements to meet client requirements in his role as Security Solutions Architect. He has extensive experience working on high-profile public sector security operation deployments. He maintains a number of professional certifications and specializes in system security, system integration, technical architecture, testing and evaluation, system and network administration and design.