Choose the Service Approach to Incident Response

To stay ahead of the cybersecurity curve, agencies must have a comprehensive, tested incident response plan in place. And the right tools and capabilities must be in place to support that plan. That’s the only way to detect and prevent advanced external threats, insider threats and state-sponsored attacks.

While some agencies have the breadth of knowledge and enough skilled staff to manage incident response on their own, many do not. That’s not surprising. According to research from Hewlett Packard Enterprise, up to 60 percent of organizations don’t have enough skilled security staff onsite to manage their cybersecurity needs.

Yet having the right expertise is critical. “The fact is that you will get breached, and the entire resiliency of your organization depends on how you handle the response and recovery,” says Earl Matthews, Vice President for Enterprise Security Solutions for the U.S. Public Sector at Hewlett Packard Enterprise.

To ensure that type of resiliency, many organizations opt to use a service that can fill in the gaps where they lack the expertise or capability. In the case of an incident response service, critical capabilities include:

Preparation: Agencies need help identifying security controls that will have the most significant impact on their security vulnerabilities, along with tools required to make network design and investigation as easy as possible.

Detection and Analysis: Agencies also need tools and mechanisms to detect threats, prioritize and categorize leads, fully scope targeted attacks and proactively hunt for signs of compromise. Ideally, this will include 24x7 monitoring. It’s all about following the evidence, says Matthews. “It’s important to understand how the attacker penetrated the environment and the true extent of what the attacker accessed or stole,” he says. “The thoroughness of the investigation directly affects the success of the remediation.”

Remediation: Any incident response plan must include steps to investigate, analyze and determine the most appropriate response, and then communicate and execute that plan. Thorough remediation involves three steps: containing the attack, eradicating the attacker from the environment and preventing the attacker from re-entering. It also essential to implement long-term strategic changes to the environment based on what was learned through examining the attack.

The Global Incident Response Service from HP Enterprise and Mandiant can provide all of these services. HPE has long-term experience in providing managed security services to governments and major corporations, while Mandiant’s expertise lies in managing advanced persistent threats and incident response using FireEye technology. The deep expertise of the two organizations can help the service team tie cyberincidents with data on previous campaigns they track on a continuous basis. This provides an extremely deep level of analysis and information that might otherwise have been missed.

By combining forces, Global Incident Response can provide agencies with proactive investigation, assessment and resolution of the full range of cybersecurity events. It includes 24x7 operational management and administration. That includes not only security devices, but alert monitoring, threat investigation analysis, and remediation, mitigation and recommendations.

The services also include a comprehensive threat compromise report for each incident. This will help agency security personnel react immediately by quarantining infected hosts, preventing future occurrences, significantly reducing and eliminating consequences of the breach.