Incident Response: Are You Ready?

© 2018 Cisco and/or its affiliates. All rights reserved.

1

2

3

4

5

6

What’s inside

Feeling secure about network security

Why do I need an incident response plan?

What are the components of a strong incident response plan?

How can Cisco help?

Success stories

Additional resources

© 2018 Cisco and/or its affiliates. All rights reserved.

Changing the way America cares for neglected children and families

Feeling secure about network security Do you know what your employees are doing on your network? Do you know about the latest ransomware attack your security team is battling? How about your business partners? Are they secure?

With all of these questions swirling around in your head, it’s hard to feel secure about network security. But there is one thing that could help: a solid plan.

Perhaps you’re aware that your organization should have a formal incident response plan. Or maybe you already have one. But are you completely clear on all the components that should make up such a plan? Or what to do when things go wrong? Or how to get help when you need it?

Over the next few pages, we’ll provide you with some insight to help you build and strengthen your organization’s incident response plan.

© 2018 Cisco and/or its affiliates. All rights reserved.3

1.

Why do I need a plan?

First, take a look at this video to learn why a strong incident response strategy is essential.

Watch video

Pretty scary, right? Even scarier is the fact that it takes the average organization 100 to 200 days to discover a security incident.1 And due to resource constraints, nearly half of these incidents (44 percent) are never even investigated.2

1 Cisco 2016 Annual Cybersecurity Report 2 Cisco 2017 Annual Cybersecurity Report

© 2018 Cisco and/or its affiliates. All rights reserved.4

2.

Changing the way America cares for neglected children and families

Threat detectionThe first step in responding to threats is, of course, detecting them. For this monumental task, you’ll want both brainpower and technology on your side. Make sure your security team is up to date on the latest threats, and knows what to look for on the network. Of course, humans have to sleep, so you’ll need 24-hour security monitoring and analytics tools to help them protect the network. And don’t forget employee education. Empower your users to recognize when something isn’t quite right, and consider them an extension of your security team. When it comes to a security incident, readiness is just as important as response.

Triage and containmentWhen you have the inevitable security incident, the triage and containment phase can mean the difference between swift remediation and a noisy, public data breach. Strong security tools are critical in this phase, but they must be accompanied by a sharp team of professionals from across the business, as well as airtight processes. Don’t wait until you have an actual security incident to establish this team and plan. Establish the plan in advance, and once it’s in place, remember that practice makes perfect.

What are the components of a strong incident response plan?

© 2018 Cisco and/or its affiliates. All rights reserved.5

3.

Changing the way America cares for neglected children and families

Forensics and analysisWhile you’re busy cleaning up an incident, be sure to pay attention to how it happened. This is where security analytics and forensics come into play. To prevent future incidents of the same nature, you need to know the who, what, when, where, why, and how. And once again, it will take the right mix of tools and talent to effectively accomplish this step.

Security improvementsLastly, be sure to apply what was learned during the incident. While security incidents are very inconvenient and often destructive, they can also provide valuable lessons. Did you discover some weaknesses in your security technologies? Do you need to bring extra help on board to deal with future incidents? Could your incident response processes use some work? If so, make sure you get these things done before the next attack.

Need an easy way to get started with all of this? Setting up an incident response program1. Identify an incident response leader who has a solid

understanding of your business and your organization’s security strategy and is an effective and responsible problem solver.

2. Assemble and empower a team of critical stakeholders from across the business, with clearly defined roles and responsibilities.

3. Document your incident response process. The key is consistency. It doesn’t have to be complicated. Just make sure it works for your organization’s culture and business requirements.

4.Mapyourrequiredincidentresponsecapabilitiestothe people,security program, and tools already within your organization.

5. Understand the most significant capability gaps in your incident response process, and build a plan to address them. Start with a minimum viable process, and then enhance it over time.

© 2018 Cisco and/or its affiliates. All rights reserved.6

Incident response components, cont.

Changing the way America cares for neglected children and families

TechnologyCisco offers a comprehensive portfolio of integrated security solutions to help you detect and remediate incidents faster. If you need to block incidents from happening, or identify potential breaches sooner, check out:

• Cisco Umbrella – It’s your first line of defense, offering web security for wherever your users roam (which they will, to many places).

• Cisco Stealthwatch – Network visibility and security analytics help you finally see what your users are doing in your environment.

• Cisco Threat Grid – Now that you know what your users are doing, find out what your malware is doing. (Yes, unfortunately, you probably have malware.)

• Cisco AMP for Endpoints – Advanced malware security protects your users and machines (when they inevitably come into contact with all that nasty stuff online).

Here’s the best part: Cisco has orchestrated all of these products to work together and form a stronger barrier against attackers. Through integration and automation, you can more confidently protect your network throughout the entire lifecycle of an attack.

How can Cisco help?

© 2018 Cisco and/or its affiliates. All rights reserved.7

4.

Changing the way America cares for neglected children and families

Threat intelligenceTools are nothing without intelligence. All of our security products and services are backed by the relentless threat research conducted by the Cisco Talos™ group. In fact, Talos maintainsthelargestthreatdetectionnetworkinthe world.

Professional security services Need more help? Our advanced security services team is available to help you prepare for, respond to, and recover from security incidents. Our experienced team members have full access to Cisco security technologies to improve visibility and speed, and provide a broader understanding of all the threats in your network. You don’t have to do this alone.

Cisco also offers . . .

© 2018 Cisco and/or its affiliates. All rights reserved.8

Changing the way America cares for neglected children and families

Success stories

© 2018 Cisco and/or its affiliates. All rights reserved.9

Want to know how others have done it? Check out our interactive site to learn how large, world-renowned companies like Yelp, Elavon, and even Cisco have strengthened their defenses with Cisco security.

Visit Interactive Experience

In the meantime, here are a few quotes to get you started:

The value in using Umbrella is that it’s a great first line of defense against malware and ransomware. We went from seeing several malware incidents a day down to very few.

Vivek RamanHead of Security, Yelp

5.

Changing the way America cares for neglected children and families

Stealthwatch’s greatest asset for my team has been, when no one’s paying attention, Stealthwatch is in the background still watching.

Phil AgcaoiliChief Information Security Officer, Elavon

© 2018 Cisco and/or its affiliates. All rights reserved.10

Changing the way America cares for neglected children and families

AMP has unique ability to look at not only when a file comes in your network, but everywhere it goes while it’s in your network, and this is critical for incident response success.

Michael ScheckComputer Security Response Team Manager, Cisco

© 2018 Cisco and/or its affiliates. All rights reserved.11

Changing the way America cares for neglected children and families

Additional resources

Experiencing an incident now?

Contact us immediately. We are available globally, 24 hours a day, every day of the year.

Email IncidentResponse@cisco.com

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C96-739835-01 01/18

Security Effectiveness Assessment Take this short quiz to see how to improve your organization’s security effectiveness.

Launch Quiz

Strengthening your Data Breach DefenseLearn more about the Cisco Incident Response Retainer Service in this two-minute video.

Watch Video

Incident Response Interactive SiteCan’t get enough of our incident response content? Check out our interactive site for more.

Visit Interactive Experience

6.