87% of respondents are concerned about becoming a victim (again of a cyber incident).
Cybersecurity research report 2021 Belgian and Dutch companies – Research by Proximus, Proximus SpearIT Davinsi Labs, and Telindus Nederland
Targeted attacks are on the rise
With the advent of targeted attacks and Advanced Persistent Threats (APTs), we have observed a paradigm shift in how organizations approach cyber security. Over the last decade it has become obvious that focusing on prevention alone is no longer enough. Investments in the latest network and endpoint security controls no longer cut it. There is an ever growing need to have rapid detection and response capabilities in place.
Detection and response must go hand in hand
It does not matter how early we detect an intrusion if we do not act upon it. We need around-the-clock security monitoring to guarantee that a notable event is picked up as soon as it is generated. Notable events must be reviewed, qualified, investigated and escalated accordingly. When we are dealing with an actual security incident, it needs to be contained as soon as possible. This requires a proactive approach to incident response by preparing playbooks to guide containment, eradication, and recovery activities. Detection and response must go hand in hand to guarantee a smooth end-to-end process.
In order to build an integrated detection and response capability, we use dedicated technology, processes and people:
Response Playbook Lifecycle Management
We develop best-practice playbooks to orchestrate and automate part of the response process for high-fidelity security alerts. Our overarching SOAR platform allows us to integrate with security controls (such as EDR/NDR/XDR tools) to drive end-to-end investigation workflows and containment actions.
24x7 Operations Center
Threat response is provided by our Security Operations Centre (SOC), which is ISO27001 certified. The SOC operates around the clock (24x7x365) and houses our security experts who are monitoring customer environments for threats in real time. The SOC acts as an extension of our customers’ security and operations teams. The security incident response process is driven by the SOC: 1) identification; 2) containment; 3) eradication and recovery; 4) post incident activities – and provides advise along the way.
Incident response process in action
The goal of the incident response process is to answer to security-related incidents and reduce their impact to the absolute minimum.
Our security incident response process is structured in 4 phases:
Phase 1: Identification
In the first step we gather and triage all information to confirm that a security incident has occurred, or is occurring, and to find out more details about the security incident. Who, What, Where, When, Why and How is clearly answered and documented.
Phase 2: Containment
In the containment phase we take the necessary actions to limit the exposure of the security incident.
Phase 3: Eradication and Recovery
We determine the root cause and take necessary actions to eliminate the root cause. Affected systems are restored to normal operation.
Phase 4: Post incident activities
We analyze what happened and provide insight with a detailed analysis of the security incident and actions taken. The goal is to improve and strengthen overall security to prevent similar attacks and/or damage in the future.
Within this process, there is regular interaction between the SOC and the customer to report the incident, obtain more information where necessary and take the appropriate steps with the local operational teams regarding containment and recovery.
Detection and response must go hand in hand to guarantee a smooth end-to-end process.