Introduction

The evolution of today’s cyber threat landscape in conjunction with increasing reliance on technology has resulted in a structural change for information security incident response. Cyber threats continue to increase in sophistication – making attacks more intelligent, complex and damaging.

In order for organisations to better prepare for these threats, they
must adapt and move with the threat landscape. It is inevitable a cyber-attack will hit every organisation. Organisations that neglect changes to the threat landscape or do not focus on the mechanisms to diagnose and outline a security incident remediation plan put their company at high risk.

It is important that security defences follow the industrial shift moving from security incident prevention to embracing full incident response in the event of a cyber-attack. Whilst prevention remains important, today’s security posture is more about the framework to respond quickly and minimise the impact.


Problem Statement

The level of response to mitigate a cyber-attack depends on the complexity, scope and skill of the attack. The skill of an attack is governed by the type of attacker. Whether the hacker is state-sponsored, a hacktivist or script kiddie; the organisation remains a target.

There are a number of attack tactics that these hacker groups can deploy to penetrate or disrupt business operations. While organisation have the ability to detect a variety of these attacks through Security Information and Event Management (SIEM) platform, the process to manage the
response requires more structure.

Cyber incidents that affect multiple parts of the business can disrupt operations causing large financial, operational or reputational damage. This often means multiple processes are involved with multiple stakeholders at your organisation. Reacting to these incidents require a sequenced series of tasks to be actioned and tracked throughout the investigation. These tasks involve the collaboration of numerous stakeholders such as
the Network Operations Centre (NOC), Corporate IT, Service Desk, Risk Management, Compliance and Group Infrastructure teams.

This requires centralised and orchestrated response procedures that document the analysis, containment, eradication, and recovery of an incident reflecting the performance metrics into the continuous cycle of lessons learnt.

Business Outcomes

By aggregating, enriching, and contextualizing cybersecurity telemetry, the platform will accelerate incident response by streamlining your organisational workflow operations and tasks. Having the centralised platform allows the Cybersecurity Emergency Response Team (CERT) to orchestrate the delegation of tasks allowing multiple stakeholders and individuals to work on the incident investigation simultaneously.

Integration with existing technologies and infrastructure provides the capability to utilise automation, speeding the time to contain and
respond to an incident.

The tool supports in managing the cases, in assigning the right people to the different tasks for typical case types and in providing clear overviews to report to management and regulators.

All local CERTs (country or regional teams) will be able to handle their individual cases. If the incident or a crisis spans multiple countries, the central CERT team takes over the coordination and information will be shared amongst the teams.