How an Incident Response Platform Works

Cybercrime is a global problem that’s been dominating the news cycle. It poses a threat to individual security and an even bigger threat to large international companies, banks, and governments. Today’s organized cyber crimes far out shadow lone hackers of the past. Now large organized crime rings function like startups and often employ highly-trained developers who are constantly innovating online attacks.

Most companies have preventive security software to stop these types of attacks, but no matter how secure we are, cybercrime is going to happen.

Meet Mia. She’s the chief security officer for a company that makes a mobile app to help customers track and manage their finances, so security is a top priority. Mia’s company has a cloud incident response platform in place that automates the entire cybersecurity process. The IRP software integrates all the security and IT software needed to keep a large company like Mia’s secured into a single dashboard and acts as a hub for the people, processes, and technology needed to respond to and contain cyber attacks.

Let’s see how this platform works in the case of a security breach. While Mia is on vacation, irregular activity occurs on her account. A user behavior analytics engine that monitors account activity recognises the suspicious behavior involving late-night logins and an unusual amount of data being downloaded. This piece of software is the first signal that something is wrong. An alert is sent to the next piece of software in the chain – the security information and event management system. Now the IRP can orchestrate a chain of events that ultimately prevents the company from encountering a serious security disaster. The IRP connects to a user directory software that Mia’s company uses, which immediately recognizes that the user account belongs to an executive who’s on vacation. Next, the IRP sends the incidents IP address to a threat intelligence software which identifies the address as a suspected malware server. As each piece of security software runs, the findings are recorded in the IRP incident which is already busy creating a set of instructions called a playbook, for a security analyst to follow. The analyst then locks Mia’s account and changes her passwords.

By this time, the software has determined the attempted attack came from a well-known cybercrime organization using stolen credentials. Mia’s credentials were stolen when the hackers found a vulnerability in her company’s firewall software and used it to upload a malware infected file.

Now that we know how the attack happened, the analyst uses the IRP to identify the specific server vulnerability that allowed the attack, what other machines on the network are vulnerable, and the malware file. The IRP uses information from the endpoint tool to determine which machines need to be patched, recommends how to patch them, and then allows the analyst to push the patches to all the computers and mobile devices instantly.

Meanwhile, Mia has to alert the legal department of the breach. The IRP instantly notifies the correct person of the situation and the status of the incident.

After the attack is contained and Mia’s account is secured, the analyst communicates which data may have been stolen or compromised during the incident. He identifies which geographies, jurisdictions, and regulatory agencies cover the users and information affected by the attack. Then the IRP creates a series of tasks so the organization can notify the affected parties and follow all relevant compliance and liability procedures.

In the past, a security breach this large would have required Mia’s company to involve several agencies and third parties to solve the problem, a process that could have taken months or longer. In a matter of hours, the Incident Response Platform organized all of the people processes and technology to identify and contain the problem, find the source of the attack, fix the vulnerability, and notify all affected parties.

In the future, Mia and her team will be able to turn to cognitive security tools. These tools will read and learn from tens of thousands of trusted publications, blogs, and other sources of information. This knowledge will uncover new insights and patterns, anticipate, isolate, and minimize attacks as they happen and immediately recommend actions for security professionals to take, keeping data safe and companies like Mia’s out of the headlines.

Leave a Comment

Your email address will not be published. Required fields are marked *