Incident Response in the Age of New Compliance Requirements

By Mark Goudie, APJ Services Director, CrowdStrike

Today’s cyber-landscape is survival of the fastest, not only just for adversaries but also for organisations facing regulations and legal implications following an attack. The speed at which you identify a breach, prevent access to data and remediate the threat will make a significant difference in controlling the business risk and costs during a data breach incident.

Modern incident response (IR) starts with establishing a holistic view of cyber-crisis management that captures the confluence of operational, strategic, legal and public disclosure elements. Organisations need to approach IR with a new lens and look at the internal processes in the age of global compliance requirements.

In 2018 the average adversary dwell time was 85 days but there have been numerous incidents where adversaries have been in networks for multiple years undetected, and this will not sit well with regulators and customers. The threat landscape is evolving, with nation state adversaries using sophisticated attacks and a rapid increase in non-malware attacks, making it more difficult to detect breaches.

No organistion is exempt from cyber security attacks and having an established plan of action that immediately executes following a security incident is crucial to limit costs and damages. In the age of regulation requirements and compliance, there is a focus on the new principles of effective IR and emerging organisational best practice and proactive mitigation technique. 

The age of compliance in cyber security

In March 2019, the World Economic Forum reported that more than 4.5 billion records were breached in the first half of 2018 and that cyber criminals were employing tactics that are more sophisticated and globally scalable. In the age of compliance organisations are being held more accountable in the face of sophisticated attackers and need a strong IR plan that clearly communications the plan of action to create new levels of transparency with your customers that will not only meet any state or global regulations, but also drive loyalty and trust with customers.

Rethinking IR readiness

When it comes to modern IR in the current cyber security environment, organisations need to be proactive and understand that compliance does not equal secure. Organisations need to a strategic, build an incident response approach that leverages the whole of the company, from the board level right through legal, financial and IT. There needs to be a clear understanding of the requirements from all levels to ensure the right policies and processes are place.

The more strategically a company invests time and resources in IR and makes a habit of testing security incidents before they happen, the greater the chance that dealing with cyber threat becomes a well thought out exercise, rather than a reactive response.

Best practice & proactive mitigation techniques

In order to reduce time to respond to emerging threats, responders need deep visibility into the current state of any systems in the enterprise in real time, and powerful capability to remediate a confirmed threat instantly. Real time response powers incident responders with deep access to systems across the distributed enterprise. It provides the enhanced visibility necessary to fully understand emerging threats and the power to directly remediate. This helps to dramatically reduce the time needed to respond to attacks and the likelihood of an attack becoming a costly breach.

Organisations need to pursue the 1-10-60 rule to combat sophisticated cyberthreats, which stresses on being able to detect in one minute, investigate in 10 minutes and remediate within 60 minutes. This rule is derived from the premise that to win a battle in cyberspace, speed is paramount. The only way you beat an adversary is by being faster than them.

Cyber-attacks are part of our modern-day landscape, with attacks becoming more sophisticated and harder to identify. In the age of compliance and increased regulation, organisations are being held accountable and they need to have a proactive and strategic response in place. Preparing and investing in IR and reframing cybercrime as an issue that affects every aspect of an organisation is the first step towards cultivating business resilience.