Over the years, the powers that be in our industry have codified and defined the steps required to prepare for and recover from a cybersecurity incident. We call it the “Incident Response Lifecycle.” Heavyweights like NIST and SANS have weighed in with their particular spin on the necessary strategies and tactics, with the goal of improving the speed and quality of the response.

The steps vary slightly depending on what you read, but we’ll paraphrase them here:

1. Preparation (which includes Prevention)
2. Detection/Analysis/Identification
3. Containment
4. Eradication
5. Recovery
6. Analysis: What did we learn from all this?

Each of these steps imply both technical and organizational components: Technical, as in firewalls, IPSes, endpoint security, network segmentation, etc. Organizational, as in who’s responsible for what, do we have the proper procedures in place, running tabletop exercises, and the like.

For this blog, we’ll simplify these steps even further into “Before,” “During,” and “After,” and take a look at how Nomic’s Outpost, Insight, and Support team bolster your incident response capability each step of the way.

Before

As NIST states, “Preventing problems is often less costly and more effective than reacting to them after they occur.”

Outpost sits outside your firewall at the edge of your network, hiding your network from malicious traffic and reducing the firewall’s workload by up to 70%. From its unique vantage point, it defends against bad actors with:

• Network Cloaking With our unique blocking methodology, Outpost can make your public attack surface entirely ‘disappear’ to outside attackers. With nothing for them to exploit, there’s nothing to do but move on to the next target. Nothing to see here.
• Dynamic Blocking Outpost autonomously spots malicious traffic in real time. Using a combination of traditional Deep Packet Inspection, Rogue Packet Detection, and a curated Threat Intelligence Gateway, it prevents scans, brute force attacks, and continuous reconaissance.

Insight compliments the Outpost with a comprehensive view of network traffic from the inside-out. Providing context to events and alerts from an internal perspective, Insight helps you track down a compromised machine before it causes any serious harm. And, with its Flow collection and search capability, the Insight Flow archive can help you determine if a network security policy decision will have a net-negative impact on your users – saving you any future headaches.

Meanwhile, our Support team is always there to answer any questions, assist with troubleshooting or help with any compliance or implementation needs.

During

Whether it’s seemingly innocuous adware, or a ransomware attack that threatens to take down the entire network, Nomic’s suite of security tools and Support team stand ready to help you defend your organization in real-time.

Outpost provides a last line of defense outbound when a compromised internal host beacons out to a command and control server, or a user attempts to communicate with a known malicious resource. It cuts off C2 communications with bad actors and dynamically prevents outbound responses to phishing attempts, ransomware, malware, and spyware otherwise missed by the firewall and EDR, SIEM, or SOAR tools.

Insight Flows provide extra context for those critical alerts, and leverage ML/AI-based Signals to notify you of any anomalous behavior that warrants a closer look.

And, most importantly, you’re not alone. Our Support team reaches out proactively when we identify critical alerts on your network, and they’re available 24/7 to provide the context you need to understand what’s happening: Sometimes it’s just a false positive, and other times there’s work to do … and we’re with you every step of the way.

After

The response “after” an incident could be anything from simply removing a spyware app from a user’s browser, to a post mortem analysis and cleanup of a significant breach.

In any case, we need to know what happened. Insight’s Flows are enriched with additional data to help your team quickly piece together the full narrative, from the external hosts involved – and their reputations – to the application protocols utilized by the affected endpoints.

Support is there after an incident, too – real people you can talk to that provide additional logs from behind the scenes and customized rules and signals to plug the vulnerable holes.

Conclusion

Incident response doesn’t start when you receive an alert notification, and doesn’t stop when you think you have the threat contained. A holistic Incident Response Lifecycle approach is needed to create an environment that can not only sustain the blow of a few attacks but can systematically prevent more successful intrusions as time goes on.

Nomic’s suite of tools help your organization to improve your security posture in the future, and our autonomous threat defense ensures you are safe in the here and now. Together, Outpost, Insight, and our expert-driven Support Team have created an approach that can carry organizations from prevention to detection and resolution again and again, and with better results each time.