Having been in the IT security industry and incident response for over 15 years, I have seen my fair share of security breaches, and I’ve experienced firsthand the effect these events can have on individuals and businesses. Damaged careers and brand reputations, as well as the high costs of dealing with the incidents, can be staggering to any business.

With security incidents continuing to increase in number and complexity and the cost of a data breach reaching a record high in 2015, it is no wonder that many security professionals lay awake at night wondering if they have the right strategy in place to protect their business.

It has become obvious that having a security compliance program with the latest security technology in place is just not enough. It is no longer a matter of if an organization will experience a security incident of some kind, but when. Given that it is more likely to happen, organizations should be focusing on incorporating proactive incident response strategies that will reduce the overall impact of an incident into their security program.

Here are three ways IBM X-Force Incident Response can help an organization to be better prepared for the inevitable.

1. How Can My Organization Reduce the Risk for the Inevitable Security Incident?

Research has shown that an organization that assumes the mentality that security incidents will occur and works to prepare for those events will deal with the incidents more effectively. This will lead to a reduction in organizational churn and the associated costs of dealing with a security incident. In other words, “Chance favors the prepared mind.”

A well-thought-out incident response plan that has been tested and reviewed with key stakeholders is a critical part of this preparation. Having the appropriate incident response expertise on board is also an important factor. But time and budget, or hiring the right skills in a depleted market, can make this difficult and may feel like a daunting task to conquer on your own. However, IBM X-Force Incident Response can help you reduce the overall impact and risk for your organization with industry-leading incident response expertise.

IBM X-Force assigns professionals to work with you proactively in your incident response program. Our experts will:

  • Be available to you 24/7 to lend forensic and case management expertise in the event of a security incident, with boots-on-the-ground support within 48 hours of your incident declaration;
  • Review your incident response plan and assist with any needed refinement or develop an industry best practices approach from scratch that is tailored to your organization and needs;
  • Coordinate incident response training and tabletop test exercises with your organization to ensure your plan is working as anticipated while at the same time increasing security awareness; and
  • Provide proactive intelligence from X-Force research and threat intelligence teams to help you prepare for and avoid potential attack trends.

So how exactly does all that help? Here is an example of a recent client that purchased our service a year ago and was struggling with the challenges of managing incident response for a large global footprint with a small corporate security staff. We began our partnership by developing a custom security incident response plan that defined roles within the organization, helped meet required compliance and regulatory needs and defined severity levels outlining when various organizational elements needed to be involved.

The plan was approved and then tested with key stakeholders to ensure it would work as designed. Education was then provided and the plan implemented. With the plan in place, the client had IBM X-Force Incident Response on board for assistance when security incidents occurred.

This client had to handle several incidents over the past year. In each case, the time to reach containment was cut in half, and the time to provide analysis and recommendations to the client’s C-level also decreased.

Overall, organizational churn and costs have been reduced as incidents are handled efficiently with the appropriate level of expertise. All of this was accomplished at a much lower cost than if the client had taken on the project alone and staffed its own forensics expertise.

2. Am I Already Breached or Infected and Just Don’t Know It?

In today’s world of incident response, being prepared is good but not good enough. Sometimes you have to go on the offensive. In other words, incident response is no longer just about reacting to security events; it’s about proactively reducing an organization’s risk.

Many security professionals and CISOs lay awake at night wondering if the policies and technologies implemented in their defensive plan are truly working. A question often heard is: “Am I already breached or infected and just don’t know it?” IBM’s X-Force Incident Response team can help answer that question.

With our experience and in-depth knowledge of security intelligence and attack vectors, we work with clients to deploy forensics expertise that proactively searches their IT environment for any undetected malicious activity. Anything outside the norm is quickly identified and eradicated before it can become a larger problem.

IBM X-Force Incident Response has done many of these assessments with clients over the past couple years. In most cases, malware and other malicious activity has been discovered and dealt with. At the very least, clients received a list of actions they can take to shore up their environment and better prevent future attacks.

Other clients take advantage of our capability to proactively review the network of any newly acquired entities before proceeding with integration into a corporate network. This allows the client to ensure anything malicious that already exists is removed and the environment hardened prior to integration. Considering we have seen many large breach cases start with an insecure acquisition being tied to the home network, this gives the client a proactive and secure approach to network integration.

3. I’ve Paid a Lot of Money to Implement the Latest Security Technology — How Do I Know It’s Alerting My Team Appropriately and Not Missing Anything?

Implementing a new security technology and trusting that it works as advertised assumes a large risk for your organization. Testing of the implementation and making adjustments should be done regularly.

IBM’s X-Force Incident Response team can also assist with this. By combining incident response expertise with penetration testing and security information and event management (SIEM) consulting expertise, we can plan and conduct real-life testing exercises designed to test your implementation against the latest threats. We then work with you to fine-tune your SIEM implementation to reduce the noise and increase alerting on the things that matter.

At the end of the day, success in reducing the risk and costs for your organization when dealing with security events depends on the proactive approach your organization takes with its own incident response strategy. Partnering with IBM X-Force Incident Response can ensure you have:

  • A well-developed and tested incident response plan;
  • A staff trained for better handling of security incidents;
  • 24/7 access to forensics and incident response expertise;
  • An environment proactively searched for existing malicious activity that can be immediately removed before becoming a larger problem; and
  • Regular testing of SIEM implementation to ensure you are getting the level of protection you invested in.

IBM X-Force Incident Response is a winning relationship for any security leader looking to be proactive. Professionals can rest easy knowing they have a full partner in their incident response.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…