By Datuk Alan See, Chief Executive Officer – FIRMUS

Technology has made significant leaps compared to 30 years ago when I joined the workforce. Of course, it has benefited all of us but has also equipped threat actors seeking to cause damage with more advanced tools.

Every organisation, regardless of its size or strength, is susceptible to security breaches. Recently, a social security agency faced a breach, joining a list of high-profile organizations. While they likely had security measures in place, the question arises: are they sufficient?

Leaked information reveals that the agency uses an Endpoint Detection & Response (EDR) tool with signature-based detection relying on a predefined list of known indicators of compromise (IOCs). However, in today’s dynamic threat landscape, IOCs alone may not be adequate

Post-breach, the incident response carried out by said agency seems to be highly focused on publicity activities, and the necessary fixes to the systems are not properly carried out as the crisis management meeting between departments about the attack was being recorded by the attackers that had infiltrated the video call.

With that, organisations of all sizes must prioritize their security posture to protect sensitive information from cyber-attacks, starting from modern EDR tools and a proper Incident Response (IR) plan.

Key Features to Look for in an EDR Solution

When selecting an EDR solution, organisations should consider the following key features:

Indicators of Attack (IOA) approach: Focuses on detecting the attacker’s intent, irrespective of the specific malware or exploit used, to combat malware-free intrusions and zero-day exploits.

Threat Database: Supported by extensive telemetry from endpoints and enriched with contextual data from various sources.

Behavioural Protection: Offers advanced threat detection, investigation, and response capabilities, including incident data search, investigation alerts, and validation of suspicious activities.

Real-time and Historical Visibility: Providing security teams with the ability to view both current and past activities on endpoints to provide actionable insights.

Integration with Security Ecosystem: Seamlessly integrate with other security tools and systems like Security Information and Event Management (SIEM) platforms, firewalls, threat intelligence, email security, and identity protection, advancing beyond EDR to XDR (Extended Detection & Response).

Knowing the Effectiveness of an Incident Response Plan

Having an incident response plan is important but the effectiveness of it is just as important, organisations can assess effectiveness via:

Conducting Regular Testing: Organizations should frequently test their incident response plan by simulating real security incidents, identifying areas for improvement, and ensuring the plan functions as intended.

Review and Update: After each test or actual security incident, organizations should review and update their incident response plan to address weaknesses or lessons learned from the exercise.

Track Incident Metrics: Organizations should monitor key performance indicators (KPIs) related to incident response, including the time to detect and respond to incidents, the number of false positives, and the effectiveness of remediation actions.

Collaborate with Stakeholders: Organizations should work closely with stakeholders, such as security teams, senior management, and other departments, to ensure the incident response plan is effective and well-communicated.

Seek External Validation: Organizations can seek external validation of their incident response plan through certifications like the ISO standard for information security management. Participation in industry forums and peer groups is also valuable for sharing best practices and learning from others’ experiences.

Benefits of a Well-Crafted Incident Response Plan

A well-crafted incident response plan offers several benefits, including:

Faster Response Time: A well-crafted plan ensures an organisation’s ability to spot early signs of a security incident and respond quickly.

Early Threat Mitigation: A well-organized incident response team with a detailed plan can mitigate the potential effects of a security incident and minimize the damage caused.

Improved Forensic Analysis: Speeding up forensic analysis, helping to contain and recover from the event more effectively and efficiently.

Enhanced Collaboration: A well-defined incident response plan encourages collaboration among team members, providing valuable feedback and enabling the organization to reduce the likelihood of future incidents.

Conclusion

In conclusion, a strong security posture is crucial for organizations handling citizen data. By implementing robust cybersecurity measures such as utilizing modern EDR solutions and having a well-defined IR plan in place, organisations can have the confidence to effectively protect their systems and ensure the safety of sensitive information.