Threat Notification Isn’t the Solution – It’s a Starting Point

Threat notification is only the beginning of dealing with a potential attack or breach. This blog outlines what security practitioners should do next.

istock 497953315
weerapatkiatdumrong

Most organizations have the tools in place to receive notification of attacks or suspicious events. But taking the information gleaned from cybersecurity tools is only step one in handling a security threat.

“The goal of a security practitioner is to link those data sets together and do something with the information,” says Mat Gangwer, VP of managed detection and response at Sophos. “The threat notification is just the beginning.”

It’s a common misconception that a tool has effectively blocked or remediated an issue simply because the IT or security team have received a notification of malicious activity.

“Practitioners often think notification also means prevention, but it doesn’t,” Gangwer says. “It doesn’t mean the threat has been neutralized. That’s the start of your investigation.”

Gangwer offers these 3 essential steps for moving beyond threat detection.

1 – Minimize the damage

To prevent widespread damage, organizations, or a managed security services provider (MSSP) acting on their behalf, should take certain targeted actions to neutralize threats after detection, including:

  • Triaging and validating the threat or incident
  • Determining the scope and severity of the threat
  • Seeking information on the threat’s context and potential impact
  • Acting to remotely disrupt, contain, and neutralize the threat
  • Determining the root cause of the incident to prevent future breaches or attacks

2 – Incorporate new learnings

Once a threat has been neutralized and remediated, organizations should seek to incorporate any new learnings back into incident preparedness and ongoing monitoring and threat hunting efforts. It’s critical to leverage these new learnings so processes and procedures can be quickly adapted. Updating documented policies and your incident response plan allows teams to know what is necessary to do in the future, the next time a threat is detected.

“It’s better to make sure everybody's on the same page and aware of expectations going into an event rather than trying to figure it out when it happens and scrambling around trying to remedy and fix what's going on,” he says.

3 – Enlist additional resources

But what if you lack the in-house tools, people, and processes to defend against cyber threats once they are uncovered? An ongoing skills gap in security has made it difficult for many companies to fill their security ranks and support a robust security program.

The good news: An MSSP can assist with managed detection and response. Most MSSPs and MDR providers offer the necessary skills and expertise to fill the gaps.

What’s more, an MSSP can bring in outside experts while still allowing practitioners to control how potential incidents are handled and what response to take.

Click here to learn more.

Related:

Copyright © 2022 IDG Communications, Inc.