InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
Preparedness is the key to effectively responding to cyber attacks. Even the best incident response team cannot efficiently handle with an incident without pre-established guidelines. Responding to cyber attacks is a process, not an isolated event, so it is important that IR teams approach each incident in an organised, coordinated fashion. In our blog, learn about key steps in security incident response that are critical to managing the broad spectrum of responses.
In order to successfully respond to security incidents, you need a good plan. Triage is the first step in the process once an incident or false positive is discovered. It is fundamental, because it shortens the time taken to respond to security incidents and ensures that only valid alerts are moved up to 'investigation or incident' status. It also saves analysts unnecessary work.
Each part of the triage process must be carried out urgently, as when you’re in the middle of a crisis, every second counts. The challenge for your triage specialists is that they have to filter huge amounts of information down into a condensed trickle of events. We have put together some starting points for you to speed up the analysis before the data can be validated:
This triage has to be done quickly - so go flat out here. A tool can provide you with valuable services. The SOAR platform from Swimlane can automate the majority of the triage process, including workflow task assignment and data enrichment. This gives your team the context they need to carry out additional analysis. Additional steps in the incident response process can also be automated, such as threat intelligence searches and remediation steps. With SOAR, you can significantly improve the effectiveness of your security operations while reducing risk and increasing threat protection.
A more detailed approach is required when you subsequently review events. It is important to present a solid case that can be accurately assessed by your Security Operations Centre (SOC) or the CSIRT analysts. Here are four important tips when verifying:
Once an event is verified, it becomes an investigation or incident. These then need to be investigated and followed up by your SOC or CSIRT teams as defined in your IR process.
Handling a security incident requires resources and expertise that are immediately available, because it is so important to act quickly and professionally. Attackers won't wait until you are prepared to handle the cyber attack. You can contact the InfoGuard CSIRT round the clock !
If you do not have the resources required within your company, our Incident Response Retainer is the ideal, most effective solution. We prepare for the emergency in a joint onboarding workshop. Should one occur, we can react appropriately in cooperation with you - quickly, competently and with a lot of experience, 24/7. You can find out more about our incident response retainer here: