How to Optimally Prepare Your It Infrastructure for a Security Incident
Six tips for IT security
Although protecting their IT infrastructure, systems, workplaces, and data is a priority for many companies, most firms are not prepared for an attack. Timo Schlüter, Business Consultant Cyber Security at Arvato Systems, has summarized six tips on how companies can prepare themselves and react correctly.
Tip 1: Invest in Cyber Security
Most companies have defined IT crisis processes. However, those processes are often not suitable for fending off a sophisticated attack. Hackers' methods are becoming increasingly complex, and thus, so is the complexity of the necessary measures to protect. Depending on the nature of the incident, fast responses with the right measures are vital. Also, the issue arises that some measures have not been tackled for years. In case of doubt, an IT infrastructure that has grown over the years has to be reorganized entirely within a few weeks, which causes significant efforts and high costs. That's why you shouldn't wait until a critical security incident forces you to react. Investments in cyber security are worthwhile because they demonstrably reduce the risk of a critical security incident.
Tip 2: Review Existing Security Measures
f dedicated measures have already been defined, this is only half the battle. Preventive measures should be reviewed regularly to keep security levels high in the long term: Are your preventive measures suitable for warding off a security incident (prevention) and countering an actual attack (detection and response)? You must be prepared against sophisticated attacks at all times. Attack methods previously only known from APTs (Advanced Persistent Threats) are now used among common cyber criminals.
Tip 3: Define Individual Packages of Measures
Cyber security is the result of a continually ongoing process. Thus, cybersecurity is highly individual, and there are several success factors for a successful Incident Response (IR): communication, organization, processes, and resources. Based on the respective processes, individual packages of measures should be preventively derived and documented. The goal, the procedure, and crucial roles, business units, and skills should be described. Examples include domain administration and data center management. An incident response communication plan should also be included.
Tip 4: Take a Structured Approach
To be best prepared for the eventuality, the incident response should be divided into two strands of action. First, there is the forensic investigation of the alleged incident. Here, it is possible to determine how deeply the attacker penetrated the IT infrastructure, the hackers' goals, and what technology the hacker used. In addition to logging data, company analysts should also use information from endpoint detection and network monitoring and analyze conspicuous systems in depth. Analysts usually focus on Active Directory, DMZ (Demilitarized Zone), and particularly vulnerable areas.
Based on this, measures can be planned to defend against the attack and remove the attacker from your network. In the case of ongoing incidents, it is necessary to decide which actions need to be taken ad hoc (containment) and which predefined measures are to be applied. The same applies to remediation. Here, packages of measures must adapt to the complexity of the business processes, the structure of the infrastructure, the monitoring capabilities on endpoints and network traffic, and available analysis skills. The defensive measures should also correspond to the attacker's methods.
Tip 5: Know Your Own System Criticality
To identify vulnerable areas and neuralgic points, one must have a thorough understanding of the peculiarities of one's own organization, IT infrastructure, and available skills. It helps to think of the incident response as a team sport with players contributing their strengths according to a previously coordinated playbook. The ideal mix of experience and skills is needed to fill the positions optimally. It requires a great deal of effort to built up these skills internally. Using a service provider that offers managed security as a service may be worth considering. But even then, regular training is essential to ensure a high level of responsiveness.
Tip 6: Focus on Teamwork
In the event of an attack, a company needs its entire security team. The Security Operations Center (SOC) assesses the threat potential and decides whether an attack has occurred jointly with the Incident Response Team. Suppose it is a massive incident - from ransomware extortion cases to APT attacks - the incident response team coordinates and executes containment and cleanup activities. Follow-up is also critical. Those who derive strategic actions from an incident can develop better response capabilities and resilience. To create a soccer metaphor, it's about questions like: Did the game structure and organization fit? Were the positions staffed correctly? Did the communication work? Were the correct human and technological resources available in the right quantity and intensity? Was the visibility over the entire game sufficient? Finally, a company must continuously optimize risk management and decision-making processes. After all, after the attack is before the attack.