How a company responds to a cybersecurity incident could dictate its future success or failure, therefore it’s imperative that companies carefully plan (and test) how they will respond to an incident. Importantly, responding to a cybersecurity incident does not only involve technology teams; support and participation from top executives across the company is mandatory. A good incident response plan will extend outside the borders of the company, too, to include law enforcement, specialized incident response and forensics teams, and potentially independent counsel.
Per the published guidance, elements of the Core Function “Respond” include:
“Response Planning: Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
Communications: Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).
Analysis: Analysis is conducted to ensure effective response and support recovery activities.
Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.
Improvements: Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.”
Within Respond, these categories can be mapped to Edgewise in the following ways:
Response Planning: A network topology map or Visio diagram is part of an effective incident response plan, and because Edgewise automatically maps all network communications—in and across on-premises data centers and cloud and container environments—network teams do not have to go through the trouble of continuously creating and updating network maps. In this way, Edgewise contributes to the formation of an incident response plan, but cannot directly impact how one is executed.
While there is no direct correlation between Edgewise and the response plan execution phase of the NIST CSF, Edgewise can support this category through data mapping, which allows administrators to see data pathways to/from critical data stores.
Communications: The importance of the communications aspect of a live incident cannot be overstated. It’s imperative for organizations to maintain an always-up-to-date record of personnel who will be involved in a cyber incident, descriptions of individuals’ roles and responsibilities, phone trees/organizational charts to facilitate information sharing during the event, and much more that is beyond the scope of this document or how Edgewise assists in this category.
From a pure communications role, Edgewise’s monitoring capability allows security, networking, and operations teams to quickly identify then share information about the state of the network with appropriate parties. Edgewise is a “single pane of glass” into network communications, which may be helpful during and after an incident.
Analysis: This category in the CSF covers the processes of investigating system alerts, determining the impact of the incident, performing forensics on affected systems, classifying the incident, and deciding on the best course of action to take to handle the incident. The ability to quickly analyze alerts and obtain actionable information is critical during any response situation.
Once the Edgewise agent is installed, it detects all communicating applications and services in real time, creates a unique identity for each communicating entity, and builds a model that baselines expected communications. New activity that falls outside of this baseline, as well as any activity that falls outside of defined policies, can be alerted upon. This allows Edgewise to operate as an early detection system, in addition to providing preventative control.
When suspicious network activity is detected, whether through Edgewise or a different security control, Edgewise expedites the analysis of this activity by providing the full identifying information for the systems and applications that were involved in the communication. For example, if an unauthorized access was detected to a database server, or an unauthorized external communications was initiated, Edgewise can identify the precise application that originated the suspicious event, as well as the complete trail of communication activity that transpired before, during, and after the event.
Mitigation: The NIST CSF simply says that companies need to establish methods to contain and mitigate incidents. The mitigation phase of incident response could be an entire book itself, but for the purpose of this article, we’ll stick to the guidance to identify, mitigate, and document new vulnerabilities.
With data mapping and visualization as core capabilities, Edgewise can be of use in the mitigation stage insofar as our machine learning constantly evaluates users’ networks and refines policy recommendations that reduce network vulnerabilities. Further, when an an attack in progress is identified, users have the ability to segment individual applications, data, or systems in one click, which allows them to “limit the blast radius,” or immediately contain the attack and prevent the attack or attacker from affecting other business resources.
From a documentation and process point of view, all applied policies are recorded so that audit trails exist.
Improvements: In keeping with the opening quote in this document, how a company responds to an incident makes all the difference. Conducting a review of incident procedures, sharing and documenting lessons learned, and applying new knowledge to future incidents is outside the scope of any technology offering. Independent of an organization’s technology implementations, the human aspect of learning from incidents is key to continuous improvements which will allow the organization to respond faster, with better accuracy, and with fewer disruptions the next time around.
The wrap up
The NIST CSF is an excellent baseline for building and maintaining an incident response plan, but it in no way is an exhaustive template for incident handling. The fact is, there is no one template, policy, or technology that can help an organization determine the best response strategy; responding to an incident is a highly complex process that involves many aspects, from people to technology. “Response” is not a tool, but implementing the right tools before an incident hits can prevent certain incidents from happening; allow organizations to quickly detect, respond to, and mitigate incidents when they do take place; contain incidents in progress; and set the foundation for recovery after the fact.