Security spending is heavily weighted towards keeping bad guys out. Media coverage has demonstrated how often they get in anyway. According to the CyberEdge Group, 71% of large enterprises reported at least 1 successful hacking attack in 2014.
While there is extensive advice around the manual steps to take to respond to a malicious attack, there is little in the way of an automated response to an attack. This is important area to extend enterprise automation.
What might a Panic Button for automated response to security incidents look like? Essentially this would be an automated workflow that would implement a set of tasks to eliminate the current attack, identify existing losses and minimize future damage. An example workflow could include:
- Identify compromised systems from intrusion detection tools and disconnect compromised systems from network
- Search for unauthorized processes or applications currently running or set to run on startup and remediate
- Run file integrity checks and restore files to last known good state
- Examine authentication system for unauthorized entries/changes and role back suspect changes
- Make backup copies of breached systems for forensic analysis
- Identify information stolen from OS and database logs
By creating automated “Panic Button” workflows that respond to security incidents, enterprises can reduce the damage of an attack. This automated approach can also show customers that an enterprise is taking full precautions to protect their personal information from falling into the wrong hands.