Chief information security officers (CISOs) understand the importance of having an incident response plan in place to help decrease the impact of a cyberattack. That’s because despite increased awareness and evolving security technology and practices, cyber threats continue to grow in both volume and sophistication.
Microsoft security researchers have seen a 130.4% increase in organizations that have encountered ransomware over the past year. Microsoft Threat Intelligence tracks more than 300 unique threat actors, including 160 nation-state actors and 50 ransomware groups.
“As we look at a big rise specifically in social engineering attacks, we are seeing threat actors going after parts of the organization that weren’t as targeted in the past,” says David Ames, Principal and Cyber Strategy and Transformation leader in the Cybersecurity, Risk & Regulatory practice at PwC US. “That complexity is bringing new teams like the help desk or call center to the forefront of IR, which is keeping us on our toes.”
Beyond the critical step of getting systems back online after an attack, it’s equally vital to help identify and eradicate the cause of the attack.
“You can’t just reconstitute an environment from a backup,” says Mark Ray, Principal and US incident response leader in the Cybersecurity, Risk & Regulatory practice at PwC US. “There should be proper threat hunting. Once threat actors are in the door, they are entrenched very deeply and it’s hard to get them out. But we aim to have them evicted from the environment before you can even start thinking about bringing systems back online securely. Otherwise, the threat can still exist.”
The ability to identify and root out threats should be addressed well before an attack as part of a holistic IR plan. It begins with gaining visibility across the IT ecosystem, across on-premises systems and cloud services, which can be difficult to achieve given the pace of digital transformation. Company mergers or acquisitions can further complicate the IT landscape, introducing more vulnerabilities.
“A lack of understanding of an environment’s architecture can be a significant challenge,” says Jason Lopez, Director of the Detection and Response Team at Microsoft. “With better visibility, you can approach an incident as it’s happening, understand the risks across every pillar, and guide the business on the best decisions to make.”
To help organizations create a more holistic approach to IR, PwC and Microsoft recently announced a collaboration that extends their joint incident response and recovery capabilities. The collaboration focuses on three main areas:
- Faster and more effective response: When a customer experiences a security incident, Microsoft and PwC can mobilize a team of specialists to help contain the cyberthreat, investigate the root cause, and get the client’s systems back up and running quickly.
- Holistic response: The collaboration enables a holistic response to incidents. Microsoft can focus on the technical aspects of the incident, such as helping evict the bad actor and restoring systems, while PwC can focus on the business and risk management aspects, such as developing a recovery plan and communicating with stakeholders.
- Improved security posture: Lessons learned from IR engagements are used to improve Microsoft’s solutions and the security posture of its customers. Microsoft and PwC work together to help identify and mitigate common security vulnerabilities and to develop new security solutions, thus helping reduce the risk of future incidents.
For more information on the challenges of modern incident response and how Microsoft and PwC work together to help streamline response and recovery efforts, watch the webcast featuring PwC’s David Ames and Mark Ray and Microsoft’s Jason Lopez.