Cybercriminals today don’t discriminate when choosing their next victims. They no longer exclusively target large enterprise companies and household name organizations. Any organization could be a victim and every organization should be prepared to prevent and respond to an attack.
Protecting your business isn’t a one-time event, it’s a process and requires careful planning and consideration. With the right team and processes in place, your organization can be prepared for any incident that comes your way. In this blog, we outline the five steps to threat management for any organization and the questions you should be asking.
Follow the NIST Cybersecurity Framework by Asking the Right Questions
Step 1: Identify
Making sure you can see every nook and cranny of your organization.
- What assets do you have (data, devices, cloud and on-premises infrastructure, software and networks, etc.)?
- What risks and vulnerabilities do the assets carry?
- What are their priority levels?
- What are your specific plans to protect them?
- Have you conducted a comprehensive vulnerability assessment?
Step 2: Protect
Taking a risk-based approach to protecting your organization is an ongoing effort.
- How often do you review identity and access management controls?
- Are your endpoints equipped with up-to-date antivirus software?
- Are you creating regular secure backups?
- Is your asset inventory updated monthly?
- Are systems and software updated and patched based on vulnerability scan results and as directed by vendors?
Step 3: Detect
Detecting incidents as soon as possible is crucial for a fast recovery.
- Do you have full visibility into data, devices, logs, cloud-based and on-premises system infrastructure, software and networks?
- Are you monitoring for potential threats and incidents across all environments 24/7?
- Do you have staff to maintain and monitor logs that record events like changes to systems or accounts?
- Do you have security tools in place to help like a SIEM to aggregate logs and look for deviations from normal behavior?
- Do you test and fine-tune your detection mechanisms regularly?
Step 4: Respond
Responding with a plan in place is crucial so you can eradicate the breach quickly.
- Have you contained the threat by isolating or shutting down the affected systems, networks, servers, databases, and devices to prevent further spread to your network?
- Are you preserving evidence while it’s available including logs, memory dumps, audits, network traffic reports, and disk images?
- Did you patch the entry point to ensure the attacker cannot regain access?
- Have you determined if any sensitive information has been breached or any data loss has occurred?
- Have you engaged with your legal team to examine any compliance or regulatory risks to determine potential violations?
Step 5: Recovery
Recovering begins almost immediately after the incident happens and could overlap with your response.
- Have you collected all necessary forensic evidence?
- Are systems fully restored to normal operations?
- Did you restore system images, restore data from backups, or replace compromised controls like passwords?
- Have you conducted a post-incident analysis and reporting with evidence from the incident?
- Have you captured lessons learned to reduce the risk of a future incident?
A practical threat management strategy is not optional. Cybercriminals are creative, opportunistic and motivated individuals that will do anything they can to find their next victim. Your best bet is to be prepared with a strong cybersecurity foundation.