Why your cybersecurity services provider must do this
Most managed detection and response (MDR) or managed security providers (MSP) claim to perform “response” services when a cybersecurity incident is identified. Their response typically comprises providing remediation steps or guidance that you as the customer will need to perform. That’s a problem. Not performing response activities places the burden on you as the customer during those crucial minutes and hours to understand the situation and react fast enough to mitigate the cybersecurity incident. For the vast majority, that’s simply not a tenable situation.
There’s often confusion about what comprises response. The NIST Cybersecurity Framework (CSF) defines the response function as to “develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain and mitigate the impact of a potential cybersecurity event.”
Pretty straightforward, I’d submit.
For this reason, your security provider needs to perform both containment and mitigation activities, not just provide guidance if you’re going to minimize the potential damage from a cyberattack. After all, there’s no point if you detect threats but not respond to them as swiftly as possible.
Moreover, customers cannot lose time going back and forth with their cybersecurity service provider once an incident is confirmed, especially if it’s outside of business hours and risk turning incident response into a game of ping-pong between your security/IT teams and the cybersecurity services provider.
How should you assess your cybersecurity services provider to ensure it’ll meet your needs for response activities?
Criterion # 1: Incident Response Approach
Ask cybersecurity service providers to walk your through their incident response approach and see if it’s consistent with industry or de facto best practices.
For example, at CyberMSI we have adopted the US Air Force’s OODA (Observe, Orient, Decide, Act) Loop framework to develop specific activities that our teams perform to contain and mitigate threats as a first-level response on behalf of our customers. Additionally, we’ve automated several of the response activities such as quarantining suspected phishing emails or suspending user accounts to significantly cut down on the response time using Microsoft’s security automation capabilities.
Criterion # 2: Incident Response Checklists
Ask cybersecurity service providers to walk your through their incident response checklists to address various aspects of incident management. Having comprehensive checklists doesn’t mean that a cybersecurity services provider has robust operational capabilities, but you should consider it a red flag if these’re materially insufficient.
We review and adjust the following five checklists with our customers on an ongoing basis:
- Incident record based on classification, type of endpoints, operating systems, and business impact within customer’s environment.
- Forensics/investigations package to collect system configuration, network, and intrusion detection logs from the affected assets.
- First-level response activities to contain and mitigate incidents, including any automated actions.
- Communications criteria to engage relevant stakeholders based on the classification and severity of the incident.
- “Lessons learned” to review vulnerabilities that were exploited and/or controls that failed to develop recommended steps for improving the customer’s cybersecurity posture.
Criterion # 3: Incident Response Metrics
Ask cybersecurity service providers to review the metrics that they use for managing incident response. At CyberMSI, we track the elapsed time for our detection and response activities like others, but we don’t set quotas to drive unintended behaviors. Additionally, we track incident recurrence and reopen rates to closely track performance trendlines on a rolling basis to identify ways to continually improve our operational procedures.
In closing, I leave you with 3 questions to consider as you assess your cybersecurity services provider:
- Is your cybersecurity services provider performing containment and mitigation steps in addition to providing remediation guidance?
- Are these response activities meeting your business and operational needs?
- Do you regularly review metrics that enable both you and the cybersecurity services provider to objectively measure the effectiveness of the overall detection and response capability?