Intelligent CISO Issue 16 - Page 69

decrypting myths external IR team is always on hand to step in and resolve an incident when needed. However, this comes with potential pitfalls. For instance, a company and the third party must sign contracts and create agreements before any work is carried out. This can lead to a delay in incident response. In our experience, a customer team often comes back to work on a Monday to discover that the company was breached during the weekend. For several days they try to handle the issue on their own. As they realise that they cannot cope, they decide to turn to external experts. Now it’s Friday. So, the company tries to approve all the agreements in a hurry before the next weekend so that they can finally let the IR team get to work. If an organisation has an internal team they can better evaluate each case and delegate responsibility quickly. For most large organisations, a hybrid approach to IR, combining third-party responders as the second line of response and an in-house team as the first is the most effective option. It brings benefits and eliminates the shortages of both approaches. and disconnecting infected machines make the life of IR teams more difficult. Amir Kanaan, Managing Director for META region at Kaspersky for responders, it’s important to collect the evidence first – meaning that the ‘crime scene’ should be left untouched for a while after an incident. Collecting logs and storing them for only three months | Issue 16 To avoid such discrepancies, the internal IR team should prepare special tailored guidance for their IT colleagues or introduce special training for any IT specialist who needs more than simple cybersecurity hygiene knowledge but doesn’t require in-depth security skills. This initiative will ensure that both the internal and external team is on the same page. Delays in putting response into action Organisations that outsource IR can establish the processes faster, as an All in all, outsourcing IR doesn’t mean that the company can simply hand over the reins to external experts and absolve themselves of responsibility. Having a plan is still key. To react in time, a company must be prepared and have a first line of response. There should be instructions for when to ask for external assistance and what it will address. Someone inside the company should also be tasked with prioritising actions and coordinating cooperation between internal departments and the outsourced external team. Establishing such a role is a must. u 69