The next key factor for quick mitigation is frequent offsite backups. While this would seem to fall in the restoration phase, the confidence of uninfected backups allows the incident response group to more quickly “pull the plug” on the network segments that appear impacted by the attack.
The Threat Intelligence Team must maintain a proper Threat Library, a full understanding of the threats an organization faces, to arm the incident response team with the pieces of information they need to get started on a proper containment and mitigation effort. Integration between the Threat Library and the security infrastructure can help automate much of this work, such as blocking hashes via EDR, feeding IOCs of interest to the SIEM, etc.”
Chris: “Threat actors will continue to become faster and more sophisticated in their tactics, techniques, and procedures. The ease with which ransomware can be monetized puts all companies at risk and will continue to be a challenge. The attack surface will also continue to grow as a result of cloud remote workers and an increasingly digital supply chain.
My team believes that all data, not just threat data, is security data and this provides context to help security teams make the best decisions and take the right actions. Much of this data comes through integrations, so any solution to enable the security operations center (SOC) of the future must be built on an open integration architecture that can bring in third-party data, intelligence feeds, and internal data, and send out relevant data to drive actions and response. Finally, balanced automation is essential, where automation and analysts have a symbiotic relationship where both are empowered by data.”
In the spotlight