CASE STUDY technology , but that is definitely not working . We need to believe that the attackers know the technology as we do and so their goal is to fool the technology . By executing good attacks fooling the technology , if there is no brain behind an attack from an investigative perspective , they can basically stay under the target and the victim for months . So , while technology is extremely important to support the investigative activities and the monitoring of daily activities , there is also the need for the human capability to really understand what ’ s going on and to react accordingly .
What are the key questions organisations should consider ahead of developing / implementing an incident response programme ?
Again , visibility is key . Ensuring we can investigate every single area of the company is paramount . Other than that , preparation . You need to run drills every so often to decipher whether your people and your technologies are properly responding to an incident . Above that , a number of procedures shall be planted and shaped accordingly , but also properly prepared and tailored to answer the typical questions of the operators inside the company . ‘ How and when should I engage when I notice something is wrong ? How and when do I need to react to a situation that is anomalous ’. These are the questions that should be considered during the preparation and organisation of the incident response practice inside a company .
Why is a holistic security programme crucial for targeted attack defence – and how can organisations best achieve this ?
The plan is to properly define what types of attackers can target you because while there are some common companies and individuals , there are other types of threats that are targeting specific segments of the market . So when you are building your cyber incident capabilities and deciding where to drive your capabilities inside your investigative spectrum , you need to consider these factors . It is important that everything is shaped and timely integrated according to the plan and the plan should consider the risk related to the market segments that the company is operating in .
Can you highlight any specific examples of how you ’ ve worked with clients across the region and the benefits realised ?
There are two potential examples to bring to the table . Let ’ s say one company engages with us before an incident and we are immediately able to track the attacker and block the execution of the ransomware before it causes harm . Another example is where the company hired us once the ransomware was already running . So , in the second case , while we were supportive in identifying the way the attacker went in and the way the attacker moved laterally to deploy this type of ransomware , the damage was already done . So in that case , we supported the company in rebuilding the situation , offering an explanation about when and how they got in so that we minimise future risk . But part of the damage was already done and it was simply down to a lack of visibility . The company wasn ’ t aware of what was going on until the ransomware was detonated . Our advice was to prepare beforehand . Again , integrating technologies and ensuring visibility is the main way to drive a situation like this in the right direction .
What is your best practice advice for organisations keen to implement an effective incident response programme ?
The main thing , again , is to ensure visibility . I continue to say this because it ’ s really important . Also , have a proper procedure in place to enable the visibility and to squeeze the best out of the technology simply by mimicking attacker behaviour .
But I don ’ t want to give advice that is purely based on technology . The human factor is still important for driving the investigation and the reaction in a strategic way .
Liam Burman , Account Executive at RSA NetWitness , tells us how he is on hand to support customers at every step of their journey .
“ My role as part of the UK & I team – as cheesy as it sounds – is to ensure client success , which translates to being better positioned to protect its data and employees from cyberthreats leveraging our people , or our evolved monitoring capabilities .
“ Increasingly attacks are being deployed indiscriminately using the same level of sophistication as sustained , concerted and targeted offensives . Adopting appropriate protection to all institutions ( irrespective of size ) will be a significant focus – both to the individuals but also to businesses at the pinnacle as they look to protect themselves from its supply chain .
“ With the emergence of XDR , NetWitness has never been better positioned to support smaller entities with the same technology that has protected large , complex , global organisatons and governments for the past 25 years ,” said Burman . p
www . intelligentcio . com INTELLIGENTCIO EUROPE 61