The one thing that matters most in cybersecurity is better, quicker incident response, even when we talk about many other crucial features like wider telemetry coverage, deeper threat detection, increased automation, and reducing noise. These are all tools to achieve that goal. So, how does an MSP deliver IR that is effective?
First, let’s define “Response”:
Stage 1: See Something – Use wide attack surface coverage, deep threat intelligence, and
smart incidence correlation
Stage 2: Say Something – This is typically an escalated alert after sifted through false positives
and determining there is a true positive – a legitimate threat, a real incident
Stage 3: Do Something – Take urgent action to disarm the threat, isolate the system,
de-escalate user permission, and more. Once the immediate threat has been
addressed, conduct Digital Forensics Incident Response (DFIR), and update policies
and procedures to prevent future occurrences
Detection Before Response
Detection precedes response – can’t catch what you can’t see
WIDE coverage + DEEP threat detection
- Process – alert monitoring, intel management, threat hunting
- People – 24/7, know the threatscape (ATT&CK), know your network, know the tools
- Technology – Deep Learning EDR/ SIEM/UEBA/ Threat Intel Platform/ Vuln Mgmt
Types of Response:
1.Automatic Response – Performed by tooling and is visible to IT/SecOps
- Firewall Blocking a connection
- Authentication rejecting login attempt
- Endpoint protection terminating a process
2. Hybrid Response – Auto detection escalating to human response
- Weak signal correlated by experts
- Guided remediation involving asset owner
Incident Response Best Practices:
- Enlist 24/7 Managed Detection and Response Professionals
- Leverage Automated IR as a Force Multiplier
- Share the Load/ Share the Responsibility
Responsibility in the Co-managed model:
- You establish incident response capability by engaging CYB3R-X as a partner on behalf of your customer
- We come to the table with knowledge of attacker tactics
- We will perform the detections and if automated response is configured we will execute them
- We will analyze, tune, and triage events
- We will gather incident artifacts and escalate
- You, the customer, will act on guidance
- Lastly, we will conduct a root cause analysis, so the incident will not happen again
Enhancing Incident Response with MXDR:
- Managed XDR for MSPs
Visibility – when you’re looking at a vendor and evaluating one, you want to partner with someone that gives you visibility across the landscape.
Cost – partner’s like CYB3R-X can get you to market quicker and get you to drive down costs
Expertise – this is a challenge but you need to find a partner who are able to deliver expert and better incident response
- Collaboration to help you deliver better IR
- Automated Response ( Open XDR platform) & guided remediation (24/7 SOC)
- Custom Incident Response Playbook
- Minimize the likelihood of IR and prevent subsequent attacks
In cybersecurity, we talk about a lot of necessary capabilities – wider telemetry coverage, deeper threat detection, increasing automation and decreasing noise, but really it’s about one thing – better, faster incident response!
Are you ready to experience better and faster incident response? Talk to us today or email us at demo@cyb3r-x.com for a demo.