NCSAM: Responding to and Recovering from Threats as They Arise

In our previous post for National Cybersecurity Awareness Month (NCSAM), we talked about detecting threats. As threats have changed, particularly during the past year, having the right tools and processes in place to detect threats as they arise is crucial for maintaining a strong security posture.

However, threat detection only plays one part. While some threats, once detected, have straightforward answers, some can balloon their damage to the point of seriously harming an organization. Today, we’ll talk about two things—incident response and recovery technologies.

Let’s dive in.

Respond and Recover

When threats arise, your team needs to fix the issues quickly and professionally. How you handle it can make a huge difference on whether or not you keep that customer happy (and paying). That means you need a combination of both strong policies and robust technology.

DEVELOP AN IR PROCESS

Before you can recover your customers to full strength, you’ll want to have an incident response (IR) plan in place. The plan doesn’t have to be extensive, but you should have a fixed process in place to deal with incidents as they arise. While incident response is a topic in and of itself (and can be a deep rabbit hole), try to at least make sure you have an idea of the steps to take—from quarantining infectious machines, investigating what happened, fixing the issue, then testing to make sure there aren’t unintended side effects. You’ll also want to figure out how best to communicate to your customers through the process, both in terms of keeping them in the loop during downtime and explaining how you’ll prevent future issues.

FORMALIZE YOUR PLAN

Next, make sure to write it down. You don’t want to skip this step. When an incident occurs, you’ll be thankful you have step-by-step instructions for your team on how best to handle an incident. A good portion of handling security incidents involves keeping a clear head under pressure; having a written plan helps reduce the likelihood of confusion or mistakes. Also, make sure to revisit and add to the plan at least once a quarter, as your steps will change over time (and may be slightly different depending on your customer base).

PRACTICE FOR INCIDENTS BEFORE THEY HAPPEN

We mentioned that having a written plan helps reduce confusion. So does practice. When people first face a security incident, they can get flustered or enter panic mode. That’s why it’s important to prepare ahead of time. If you can make the time, try to act out specific incidents, particularly ransomware, so each person knows their part and won’t be facing it for the first time live.

BACK UP OFTEN

Beyond your process, you’ll also need some tools in your toolbox, and a cloud-based backup is a must. Backing up workstations to cloud storage is an absolute must to helping prevent data loss, particularly during the era of heavy remote work, as people may be more lax about connecting to a corporate server to save their files. If you can, try to back up the entire endpoint, or at least critical business documents. And make sure to schedule your backup jobs so you still meet your recovery point objectives.

TEST FOR RECOVERY

Picking up on a theme from earlier, you’ll want to make sure you’re ready when the time comes to restore. That’s why we recommend frequently testing your customers’ backups for recoverability. The last thing you want is to find out a backup has become corrupted or you can’t restore while in the middle of a crisis.

USE EDR WITH ROLLBACK

Finally, SolarWinds^® Endpoint Detection and Response (EDR) includes an automated rollback feature that can restore an endpoint based on Windows to a safe state quickly after a potential threat. In fact, it can take a number of policy-driven actions, including quarantining files, disconnecting endpoints from a network, or blocking connections to malicious sites. While EDR was mentioned in the previous blog on detection, it plays a pivotal role in the response and recovery processes as well. As customers work remotely, EDR can work almost as independent incident response teams on each endpoint, often stopping an issue before it takes causes too much damage. And since 76% of organizations predicted remote work would increase IR times in this year’s Cost of a Data Breach report from Ponemon and IBM, the automated rollback feature could be worth its weight in gold. Still, it’s important to note that this feature isn’t a replacement for cloud-based backup. You’ll still need it for rollback on machines that aren’t Windows, and it’s still important for other forms of data loss.

Keeping your cool under pressure

Security incidents will occur despite your best laid plans and defenses. It happens to large enterprises as much as it happens to small businesses. What makes you prove your worth to your customers comes down to how you handle the incident, and how quickly you get them back up and running. Make sure to have a good IR process in place so you can keep your customers safe (and happy).

Sometimes, there’s a snag when it comes to recovery. On the one hand, you need the right tools to make sure you can restore data in a pinch. But some customers may skimp on backup in an attempt to save cost, often without really understanding the risk until it’s too late. To help you solve this problem, don’t miss our free eBook, The Big Book of Selling Data Protection. It’ll help both your customers’ readiness for a data loss event and help improve your bottom line. Get your copy today.