What is a Cyber Security Incident?
The UK is lucky to have a National Cyber Security Centre, a government-led centre of expertise and resources, so Hayachi Services will defer to their definition:
1. Attempts to gain unauthorised access to a system and/or to data.
2. The unauthorised use of systems for the processing or storing of data.
3. Changes to a systems firmware, software or hardware without the system owners consent.
4. Malicious disruption and/or denial of service.
Tools and Expertise
In our piece on securing against supply chain attacks we also listed Open Source tools freely availably to assist organisations of all sizes detect, identify and prevent cyber-criminals from successfully attacking your business.
It is however the case that these freely available tools are also used by cyber-criminals, meaning they aren’t necessarily as secure as Castle walls – not without expertise to guard them.
Anyone can install tools, but the configuration and maintenance of said tools costs time and money. This is why next-generation EDR solutions offer threat-hunting to help you identify if someone is trying to hack you, and how far they managed to get.
The global shortage of Cyber Security professionals adds complexity to this need for expertise, and many of our larger clients will lean on external-partners in order to bolster a one or two-person internal IT Security team. This is for top-10 UK law firms, and as such you can imagine SMEs will not have the wherewithal to have any such presence.
It is important to look a capability ‘in the round’ and see where professional service fees come into play alongside how a vendor will manage Incident Response. For example, you may not have the expertise to run attestation on all the files and software your business uses, but Panda Security offer 100% attestation as part-and-parcel anyway.
Identifying Cyber Security Incidents
There is no single centre of excellence. Any vendor who tells you they are exactly that, is lying. This is why Hayachi Services prefer to have honest conversations about how to improve IT Security and draw from a variety of expert opinions including the NCSC’s publicly available advice for SMEs.
Your primary investments will be in Endpoint Security, Email Security and Network Security. These aspects of security will always be core to any business operation.
Through using industry-leading technologies in the above spaces, you will naturally have configured automatic alerts so that when systems detect an incident they will email an IT Service Management system and perhaps key-internal stakeholders.
It is important to have systems which minimise false-alerts, such Panda Security’s Adaptive Defense which reduces alerts by more than 70%, because this improves your Incident-Response by not wasting precious time in the event of an incident.
Incident Response is in short: how long it takes to see that a ticket or alert has been logged and responded to. We would add: in a meaningful way.
Where a Cyber Security incident has been identified it is important to have a response within a few minutes, this is primarily because attacks are coded and automated to propagate throughout a victim’s systems.
A quick turnaround can prevent an infection going out of control which is why we insist on meaningful responses – blocking the attack, isolating a system, shutting down a system. Imagine a successful cyber-attack happening on an endpoint that has no security on it, such as an IOT-enabled Fridge, and this in turn being the entry-point to attack your most critical servers because the device wasn’t isolated in the first place.
Identifying Historical Cyber Security Incidents
It is sometimes the case that a databreach will occur without the knowledge of the business and will only be detected in hindsight. Data-Loss Prevention is core to this, but it is simply a fact that organisations will suffer breaches over time – not even the most secure facilities have such impeccable records.
The average time it takes for an organisation to identify a databreach is in fact a very long-time – it can be over 6 months and is often 18 full months since an incident occurred. That is if an organisation detects a breach at all.
Logging is central to being able to understand the activities which took place, resulting in a Cyber Security incident. For readers who do not have the budget to implement a SOC the NCSC have yet another Open Source tool they recommend for this.
Logging everything takes in-ordinate amounts of storage space and logging nothing isn’t very helpful: it is important to be able to classify the sensitivity of information and focus your logging on the most sensitive systems, making the most of limited storage space.
We at Hayachi Services would recommend that you try to retain logs for at least 12 months, and ideally 24 months wherever possible. The solutions we provide retain their logs for 12 months so one approach is to keep backups of those logs which are older.