Assessing Risk Tolerance LevelThe inevitable first step to building a resilient incident response plan is to answer the following two questions:
- What threats are your organization likely to encounter?
- What level of impact would a particular attack have on your organization if it occurs?
Threat Awareness and Detection TrainingEmployees are the first line of attack. It is impossible to build an effective response plan if workers can’t recognize threats. Even if threat mitigation requires the involvement of the IT team, every employee should be able to detect threats and also be knowledgeable enough to not inadvertently expose the company to threats. Millennials make up most of the workforce in the United States. They are digital natives. But with this status comes obliviousness to attacks because of their tendency to place too much trust on devices. Simultaneously, 90% of data breaches that occurred in the United Kingdom in 2019 were due to human error. This reinforces the need for cybersecurity education. Training for threat awareness and detection should not be a one-off. New cyber threats emerge by the day. Therefore, employees must be kept updated regularly so that they can identify threats. Repetitive training is therefore of the utmost importance.
Incident Response TechnologiesThe Accenture report ranks different technologies according to their effectiveness in incident response. From top-down, they are as follows:
Security, Orchestration, Automation & Response (SOAR)
SOAR is an incident response technology that helps to mitigate threats with minimal human effort, providing adaptive defense. A relatively new technology, it is often confused with System Information and Event Management (SIEM), another threat intelligence and threat detection technology.
But SOAR and SIEM are not the same. The major difference between SOAR and SIEM is that the former monitors threats from a broader perspective. SOAR systems integrate inputs from other security monitoring tools (including SIEM) under one platform.
Using a digital decision-making workflow format that derives from machine learning, organizations can use SOAR to define response procedures, mainly to low-level threats.
There are two main components of SOAR systems.
- Orchestration: This is the integration aspect of SOAR by which the system coordinates and analyzes alerts from multiple security tools.
- Automation: The implication of using multiple security tools is that there could be multiple threat instances to detect across different solutions. SOAR provides a framework for executing threat neutralization tasks.
SOAR systems provide a holistic approach to cybersecurity and particularly threat intelligence.
It is no longer news that password protection does not provide enough data security. Systems that are password-protected need additional layer(s) of security that:
- Prevents unidentified access to data.
- Do not complicate the user login process.
Risk-Based Authentication, also known as adaptive authentication, works by determining the risk of a login attempt by assessing the context using real-time intelligence. Details assessed include device information, network connection, IP address, location info, data sensitivity, etc. Based on this information concerning the risk of a breach, it calculates a risk score by which access is either granted or restricted.
How RBA operates:
- On a low risk, (if the user details are familiar, such as using the same device as always) access is granted.
- On a medium risk, (if the user details are not familiar, such as access from a different network) the system requests additional details to ascertain the identity of the person.
- On a high risk, it blocks access.
According to Gartner, “next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”
The most advanced traditional firewalls use a stateful packet filtering model. NGFWs go beyond this by filtering packets based on applications rather than just the traffic context. The application awareness properties allow you to define application-specific rules for security regardless of context. This provides a deeper level and dynamic model of inspection.
NGFWs do all that traditional firewalls can do and more. Major areas in which a next-generation firewall is different from a traditional firewall, apart from application awareness, include:
- A higher level of stateful inspection,
- Integrated Intrusion Prevention System (IPS),
- Deep Packet Inspection (DPI), and
- Threat Intelligence.
Overall, NGFWs reduce threat detection to a matter of seconds, and they can prevent malware from entering a network. NGFWs can also be integrated with other security systems such as SIEM software, authentication tools, etc. This provides comprehensive network visibility and adaptive management.
Privileged Access Management
Privileged user accounts are high-risk because unauthorized access to them can have far-reaching effects on the organization. These accounts have access to the most confidential information and are prime targets for cyber attackers. According to a survey report published last year, 74% of data breaches involved privileged access credential abuse.
That shows that there is a lot of difference that effective Privileged Access Management (PAM) can bring to the security of an organization, especially when using a Zero Trust approach. PAM includes the secure storage of privileged users’ credentials as well as defines stringent access requirements to privileged accounts. According to Microsoft, the four steps involved in PAM setup are as follows:
- Prepare. Identify privileged groups.
- Protect. Set up authentication requirements.
- Operate. Approved requests get just-in-time access.
- Monitor. Review auditing, alerts, and reports.
PAM is different from Identity Access Management (IAM), which is concerned with authentication for all users and accounts instead of elevated access. PAM is less of a technology than an approach.