decrypting myths
external IR team is
always on hand to
step in and resolve an
incident when needed.
However, this comes with
potential pitfalls. For instance, a
company and the third party must
sign contracts and create agreements
before any work is carried out. This can
lead to a delay in incident response.
In our experience, a customer team
often comes back to work on a Monday
to discover that the company was
breached during the weekend. For
several days they try to handle the issue
on their own. As they realise that they
cannot cope, they decide to turn to
external experts.
Now it’s Friday. So, the company tries
to approve all the agreements in a hurry
before the next weekend so that they
can finally let the IR team get to work.
If an organisation has an internal team
they can better evaluate each case and
delegate responsibility quickly.
For most large organisations, a hybrid
approach to IR, combining third-party
responders as the second line of
response and an in-house team as the
first is the most effective option. It brings
benefits and eliminates the shortages of
both approaches.
and disconnecting infected machines
make the life of IR teams more difficult.
Amir Kanaan, Managing Director for META
region at Kaspersky
for responders, it’s important to collect
the evidence first – meaning that the
‘crime scene’ should be left untouched for
a while after an incident. Collecting logs
and storing them for only three months
www.intelligentciso.com
|
Issue 16
To avoid such discrepancies, the internal
IR team should prepare special tailored
guidance for their IT colleagues or
introduce special training for any IT
specialist who needs more than simple
cybersecurity hygiene knowledge but
doesn’t require in-depth security skills.
This initiative will ensure that both the
internal and external team is on the
same page.
Delays in putting response
into action
Organisations that outsource IR can
establish the processes faster, as an
All in all, outsourcing IR doesn’t mean
that the company can simply hand over
the reins to external experts and absolve
themselves of responsibility.
Having a plan is still key. To react in
time, a company must be prepared
and have a first line of response. There
should be instructions for when to
ask for external assistance and what
it will address.
Someone inside the company should
also be tasked with prioritising actions
and coordinating cooperation between
internal departments and the outsourced
external team. Establishing such a role is
a must. u
69