[BreachExchange] The Incident Response Plan: The Next Layer of your Endpoint Security

[Audrey McNeil]

https://solutionsreview.com/endpoint-security/incident-response-plan-the-next-layer-of-your-endpoint-security/

If your enterprise intends to take its endpoint security seriously, it
needs an incident response plan. Full stop. No negotiations.

Why? Well for some context, “porous” best sums up the modern enterprise’s
digital perimeter. As bring-your-own-devices (BYOD) cultures become more
commonplace in enterprises—as more unique devices connect to the network,
and as more enterprises embrace the potential of the cloud, determining
where the enterprise perimeter begins and ends can prove an academic
matter. Hackers thus have multiple attacks vectors to choose from to slip
into the network and wreak havoc.

So while securing the perimeter through a next-generation endpoint security
solution remains an important priority, your enterprise must also prepare
for what happens if a digital threat actor does penetrate the network.

But why does this mean you need an Incident Response Plan? How will an
incident response plan facilitate your digital perimeter? What should your
incident response plan contain?

Here’s what you need to know:

What Endpoint Security Does (And Why That Matters)

The first step to understanding why you need an incident response plan is
to understand the full capabilities of endpoint security.

Endpoint security already offers huge preventative benefits to your digital
perimeter. It provides firewalls to prevent traffic from unknown or
suspicious sources. Next-generation anti-malware prevents threats from
penetrating the network and uses threat intelligence to stay up-to-date on
new attacks.

Additionally, many modern solutions can sandbox programs and applications
it doesn’t recognize to make sure its intentions and functions prove
benevolent. With EDR, perhaps the most crucial capability of modern
endpoint protection platforms, endpoint security can even bolster your
threat detection capabilities in collaboration with a SIEM solution.

However, endpoint security, like all cybersecurity, can’t function
optimally in a vacuum. It requires strong supports and scaffolding to help
ensure your enterprise’s safety in the digital marketplace.

Part of this means developing a full cybersecurity platform for your
enterprise, integrating endpoint security with SIEM and identity and access
management. However, It also means recognizing the one thing endpoint
security can’t protect against: human error.

Why an Incident Response Plan Matters

No matter how large your enterprise’s network, no matter if your network
remains on-premises, migrates to the cloud, or embraces a hybrid
environment, no matter what databases and digital market presence you
possess, the number one cybersecurity attack vector you face is your own
employees.

Human errors cause the vast majority of cybersecurity incidents. Whether
they configure a cloud database incorrectly, fall victim to a phishing
attack, or share their passwords with each other via email, your perimeter
is only as strong as the employees working within it. Their ignorance or
neglect can put you on the hook for the substantial and ever-increasing
costs of a data breach.

Obviously, engaging and continual cybersecurity training can help your
employees embrace best practices and thus supplement your endpoint
security. However, even that won’t stop all digital threats. Unfortunately,
no cybersecurity platform, no matters how strong, can stop 100% of the
deluge of attacks bombarding the perimeter. The same principle applies to
cybersecurity training; even the most observant and cautious employees can
be fooled.

This is where an incident response plan steps in.

What Should an Incident Response Plan Contain?

An incident response plan sounds complex, but in fact, it only clarifies a
necessary emergency procedure; in many ways, it is no different from your
emergency plans in case of a fire.

Ideally, an incident response plan outlines what employees should do if
they suspect a breach: who they should speak to, how they should contact
them, how to label their messages so it becomes a high priority, etc. From
there, the plan should describe the next steps if the breach turns out to
be legitimate. This includes:

- Which individuals will be responsible for threat investigation,
containment, and remediation?
- Who handles the compliance paperwork? What are the important compliance
documents located?
- Which individuals contact the legal department? Who reaches out to the
overseeing regulatory bodies?
- How should employees contact the individuals affected by the breach?
- Who contacts your public relations team, and what kind of messaging
should they use?
- What should employees do in the meantime to minimize disruption to their
business processes?

Having the plan written out in detail will mitigate the panic which ensues
during a breach, streamlines the remediation process, and ensures all of
the relevant individuals receive information on the breach in a timely
manner.

Your incident response plan could be written into your employee handbook,
or be kept in a binder in the IT room. Having a physical copy instead of
keeping it entirely digital may help ease some worries about finding it.

However, you can’t just have an incident response plan. You must also
ensure your employees know the steps of the plan through training and
infrequent drills. This will also enable you to recognize if an aspect of
the IRP needs correction or reconsideration.

Incident Response Plan and Endpoint Security

Remember, you still need an endpoint security solution to protect your
digital perimeter. You should consider your incident response plan an
emergency backup should something happen, you having an EPP will mitigate
the number of threats you have to face.

Prevention and preparation form the core of cybersecurity. Don’t neglect
one for the other.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190124/1c3e6e64/attachment.html>