Menu

Commvault Cloud maakt CIS-geharde implementatie mogelijk op marktplaatsen voor hyperscalers in de cloud

Geplaatst op: 12 February 2025

commvault maakt cis geharde implementatie mogelijk

Commvault, een toonaangevende leverancier van oplossingen voor cyberweerbaarheid en gegevensbescherming voor de hybride cloud, heeft vandaag aangekondigd dat het Commvault Cloud Platform eenvoudig kan worden geïmplementeerd vanaf grote cloudmarktplaatsen met behulp van CIS-geharde images. Deze CIS-geharde images zijn vooraf geconfigureerd met door CIS aanbevolen instellingen en besturingselementen en zijn beschikbaar op de volgende marketplaces: Amazon Web Services (AWS), Microsoft Azure, Google Cloud en VMware.

CIS-geharde images

CIS-geharde installatiekopieën zijn softwarebestanden die vooraf zijn geconfigureerd om te voldoen aan de CIS-benchmarks (Center for Internet Security). Hardening helpt bij het verminderen van kwetsbaarheden in configuraties, zoals te tolerant netwerkbeleid dat kansen kan creëren voor kwaadwillende actoren. Configuratiefouten zijn zelfs een van de meest voorkomende oorzaken van kwetsbaarheden in de cloud en dragen bij aan 23% van de aanvallen op cloudinfrastructuur, zo blijkt uit onderzoek in de sector. De CIS-geharde images van Commvault zijn ontworpen om deze risico’s te verminderen door de implementatie vooraf te configureren om out-of-the-box te voldoen aan strenge beveiligingsbenchmarks, wat vertrouwen geeft aan IT- en beveiligingsteams.

Met de aankondiging van vandaag blijft Commvault zijn focus op cyber security waarmaken, waarbij deze implementatieopties worden toegevoegd aan andere beveiligingscertificeringen, zoals FedRAMP® High Authorized, ISO27001:2013, SOC 2, Type II en FIPS 140-2. Klanten kunnen de nieuwe, door CIS geharde images gebruiken om Commvault Cloud snel en vol vertrouwen te configureren en te implementeren en te profiteren van:

  • Kant-en-klare nalevingscontroles: CIS-geharde images bieden organisaties veilige, geharde omgevingen vanaf het moment van implementatie en geven klanten het vertrouwen dat hun besturingsvlak is geïnstalleerd en geconfigureerd met behulp van door de industrie erkende best practices.
  • Verbeterde cyberbeveiliging: De CIS-geharde images minimaliseren kwetsbaarheden door veelvoorkomende risico’s op verkeerde configuraties aan te pakken en gemoedsrust te bieden tegen misbruik door aanvallers.
  • Gestroomlijnde nalevingstoewijzing: CIS-benchmarks worden toegewezen aan belangrijke beveiligingskaders zoals NIST CSF, HIPAA, PCI-DSS en ISO 27001, waardoor de naleving van complexe wettelijke vereisten wordt vereenvoudigd.
  • Brede beschikbaarheid van marktplaatsen: Organisaties kunnen Commvault Cloud rechtstreeks vanuit AWS-, Azure-, Google Cloud- of VMware-marktplaatsen implementeren, waardoor snelle en veilige installaties met minimale inspanning mogelijk zijn.

Versterking van het Cybersecurity-Ecosysteem

De timing van deze aankondiging komt ook op een moment dat steeds meer organisaties hun overstap naar de cloud versnellen. Volgens IDC zullen de uitgaven aan openbare clouddiensten naar verwachting verdubbelen tot 1,6 biljoen dollar in 2028. In het afgelopen jaar heeft Commvault een groot aantal cloud-first-aanbiedingen geïntroduceerd die zijn ontworpen om klanten veerkrachtiger te maken in de cloud, waaronder Cleanroom Recovery, Cloud Rewind en Clumio Backtrack. Nu tilt het bedrijf de veerkracht in de cloud naar een hoger niveau via CIS-geharde images voor populaire cloudmarktplaatsen.

Waarom is dit belangrijk?

  1. Vermindering van kwetsbaarheden: CIS-geharde installatiekopieën zijn vooraf geconfigureerd om te voldoen aan de CIS-benchmarks, wat helpt bij het verminderen van kwetsbaarheden in configuraties. Dit is cruciaal, omdat configuratiefouten een van de meest voorkomende oorzaken zijn van kwetsbaarheden in de cloud en bijdragen aan 23% van de aanvallen op cloudinfrastructuur.
  2. Verbeterde cyberbeveiliging: De CIS-geharde images minimaliseren kwetsbaarheden door veelvoorkomende risico’s op verkeerde configuraties aan te pakken en bieden gemoedsrust tegen misbruik door aanvallers.
  3. Kant-en-klare nalevingscontroles: CIS-geharde images bieden organisaties veilige, geharde omgevingen vanaf het moment van implementatie en geven klanten het vertrouwen dat hun besturingsvlak is geïnstalleerd en geconfigureerd met behulp van door de industrie erkende best practices.
  4. Gestroomlijnde nalevingstoewijzing: CIS-benchmarks worden toegewezen aan belangrijke beveiligingskaders zoals NIST CSF, HIPAA, PCI-DSS en ISO 27001, waardoor de naleving van complexe wettelijke vereisten wordt vereenvoudigd.
  5. Brede beschikbaarheid van marktplaatsen: Organisaties kunnen Commvault Cloud rechtstreeks vanuit AWS-, Azure-, Google Cloud- of VMware-marktplaatsen implementeren, waardoor snelle en veilige installaties met minimale inspanning mogelijk zijn.

Wilt u meer weten hoe we jouw Cyber Resilency omgeving kunnen hardenen op basis van de CIS standaarden, neem gerust contact met ons op.

Lees meer

Verbeterde cyberweerbaarheid met Commvault en CrowdStrike

Geplaatst op: 10 February 2025

integratie commvault crowdstrike header

Afgelopen week hebben twee van onze belangrijke vendoren hun samenwerking verder versterkt. Vanuit OpenSight zijn we blij dat de integratie en consolidatie verder voortborduurt binnen onze commited vendoren.

Commvault en Crowdstrike

Commvault, een toonaangevende speler op het gebied van gegevensbescherming en cyberweerbaarheid voor hybride cloudomgevingen, heeft een strategische samenwerking aangekondigd met CrowdStrike om hun geavanceerde cyberbeveiligingsplatform, Falcon, te integreren. Deze samenwerking is gericht op het verbeteren van de detectie van cyberdreigingen en het garanderen van snel herstel, waardoor bedrijven beter beschermd zijn tegen moderne cyberaanvallen.

Door gebruik te maken van de uitgebreide dreigingsinformatie en beveiligingsgegevens van CrowdStrike, gecombineerd met de cloud-first mogelijkheden van Commvault, biedt deze integratie gezamenlijke klanten een extra beveiligingslaag. Dit wordt bereikt door realtime inzichten in bedreigingen, snellere detectie en herstelprocessen.

Voordelen van de integratie

  • Proactieve detectie van bedreigingen: Met behulp van CrowdStrike’s AI-gestuurde inzichten en Indicators of Compromise (IOC’s) kunnen organisaties bedreigingen vroegtijdig identificeren en snel reageren om de schade te beperken.
  • Sneller herstel van schone gegevens: Bedrijven kunnen hun systemen snel herstellen door de laatst bekende schone versie van hun gegevens te lokaliseren, waardoor verstoringen tot een minimum worden beperkt.
  • Naadloze samenwerking: De integratie zorgt voor soepelere workflows tussen teams voor beveiligingsoperaties (SecOps) en IT-operaties (ITOps), wat leidt tot een effectievere reactie op en herstel van bedreigingen.
  • Continue bedrijfsvoering: Door de hersteltijd en downtime te verminderen, kunnen bedrijven hun kritieke services draaiende houden, zelfs tijdens complexe cyberaanvallen.

Versterking van het Cybersecurity-Ecosysteem

Deze samenwerking met CrowdStrike weerspiegelt de voortdurende inzet van Commvault om zijn cyberbeveiligingsecosysteem uit te breiden. Het bedrijf werkt actief samen met toonaangevende beveiligingsproviders om uitgebreide oplossingen te ontwikkelen voor het detecteren, beperken en herstellen van cyberaanvallen. Door hun respectievelijke sterke punten te integreren, willen Commvault en CrowdStrike bedrijven een solide verdediging bieden tegen cyberdreigingen, waardoor ze snel kunnen herstellen en de schade kunnen beperken.

Wil je meer weten over deze integratie, neem dan gerust contact met ons op.

Lees meer

Webinar ‘Awareness Training’

Geplaatst op: 26 September 2024

Waar gaan we het over hebben?

Lees meer

The future of information security: why Zero Trust and AI are now essential

Geplaatst op: 19 September 2024

De toekomst van informatiebeveiliging waarom Zero Trust en AI nu essentieel zijn

The way we work and do business is changing rapidly. Cloud computing, SaaS solutions, and remote work have become the norm. This has given companies a great deal of flexibility, but it has also introduced new challenges in cybersecurity. Traditional security models, which relied on the idea of a secure perimeter (such as the ‘castle and moat’ model), are no longer adequate in this new world. They simply weren’t designed for today’s distributed IT environments.

Why Zero Trust?

Imagine a company operating like a medieval fortress: thick walls, drawbridges, and watchtowers to keep intruders out. This worked well when all employees worked within the castle walls, with their applications and data safely behind those walls. But now that everyone works from various locations, those walls have essentially become useless. We don’t need a fortress anymore; we need an entirely new way of thinking. This is where Zero Trust comes into play.

What makes Zero Trust so powerful?

  1. Never trust, always verify: Zero Trust is centered around the principle that no one is automatically trusted. Whether someone is inside or outside the network, their access is continuously monitored. This marks a radical shift from the old model, where everyone inside the fortress was considered ‘safe’.
  2. Protection against lateral movement: One of the biggest threats today is attackers’ ability to move laterally within a network once they’ve gained access. Zero Trust prevents this by granting users access only to specific applications, rather than the entire network.
  3. Improved user experience: Unlike traditional methods, where traffic was routed back to a data center (causing delays), Zero Trust enhances performance by directing users straight to the apps they need.

The role of AI in modern security?

When it comes to cybersecurity, AI is often the secret ingredient that enhances everything. We live in an era where cyber threats are becoming increasingly sophisticated and persistent. The days when a simple firewall was enough are long gone. AI allows us to approach security in an entirely new way.

How AI helps us

  1. Real-time threat detection: AI can analyze vast amounts of data in the blink of an eye and recognize patterns that indicate potential threats. This allows for the identification of attacks before they cause damage.
  2. Security automation: AI enables the automation of routine tasks, such as scanning files and monitoring traffic. This allows security teams to focus on the truly critical issues.
  3. Intelligent decision-making: AI helps in making better, data-driven decisions. By adding context to threat information, security analysts can respond more quickly and accurately.

Practical applications and examples

Take, for example, the pandemic in 2020, which caused a massive shift to remote work. Many companies still relying on traditional security models suddenly faced new vulnerabilities. In this situation, Zero Trust provided a robust solution. By treating every user as a potential threat, companies were able to protect their systems even while their staff worked from home.

And then there’s AI. In the fight against cybercrime, AI has proven itself indispensable. Imagine a suspicious email landing in your inbox. Traditional filters might miss it, but an AI system, trained on millions of examples of phishing attempts, recognizes the patterns and blocks the email before it can cause any harm.

In short…

The combination of Zero Trust and AI provides companies today with a powerful way to protect themselves against the ever-increasing threats in the digital world. It’s not just about strengthening defenses; it’s about rethinking how we approach security in an era where the boundaries between physical and digital worlds are becoming increasingly blurred. Companies that embrace these technologies will not only be better protected but also better positioned to take advantage of future opportunities.

Lees meer

Key takeaways from the 2024 Threat Hunting Report

Geplaatst op: 19 September 2024

De Belangrijkste zaken uit het 2024 Threat Hunting Report

“As a Cyber Security Specialist at OpenSight, I deal with the complex world of cybersecurity daily, where we are engaged in a race with criminals and state actors. As a Cyber Security Specialist, you know that you’ve chosen a profession where continuous learning and development are a must, as your adversaries are also constantly evolving. We often review reports from key players in this field. Recently, I reviewed the CrowdStrike 2024 Threat Hunting Report, and I’d like to share some of my findings and advice with you. This report not only provides insights into the latest trends in cyber threats but also emphasizes the need for a proactive approach to effectively combat these threats. Let’s dive deeper into what this means for you and your organization.”

The cunning of modern attackers

“What stood out to me most while reading this report is the constant evolution of attackers. Cybercriminals’ tactics are becoming increasingly sophisticated and dynamic. Where they once relied on simple, automated attacks, we now see a significant rise in so-called ‘interactive intrusions.‘ These are attacks where the attacker is actively sitting behind the keyboard in real-time, ready to bypass security measures as they appear.”

“This has significant implications for how we protect our networks. The speed and cunning with which these attackers operate make it essential not only to rely on automated security measures but also to have well-trained personnel capable of detecting and countering these advanced attacks. CrowdStrike’s report highlights the importance of speed in detection and response, which perfectly aligns with my own experiences.”

Cross-Domain Threats: An Increase in Complexity

“Another key insight from the report is the growing threat of cross-domain attacks. These are attacks where various parts of the IT infrastructure are targeted simultaneously, such as identity systems, endpoints, and cloud environments. What makes these attacks particularly dangerous is that they are often difficult to detect because the activities are spread across multiple domains, making them appear less suspicious when considered individually.”

“The challenge here is to see these activities in context and understand how they are related. This requires not only advanced technology, such as CrowdStrike’s AI-driven solutions, but also an in-depth knowledge of the various IT domains and how attackers can exploit them.”

Insider threats: the invisible danger

“The report also sheds light on one of the most insidious threats we face: insider threats. These are threats originating from within the organization, often from employees who, whether intentionally or unintentionally, engage in harmful activities. What I found particularly concerning is the example of FAMOUS CHOLLIMA, a group of attackers who managed to enroll as employees at over 100 companies in the US, gaining access to sensitive information from within.”

“These insiders used their access to install Remote Monitoring and Management (RMM) tools, allowing them to operate remotely and conduct their malicious activities without immediate detection. This highlights the need for stringent access control and continuous monitoring of user activity, even within the organization.”

The solutions: proactive threat hunting and AI

“In my opinion, the key to securing organizations against these complex threats is a combination of proactive threat hunting and the use of AI. As the report indicates, the time an attacker needs to move laterally within a network (the so-called ‘breakout time’) is often just a few minutes. This means there is no time to waste in detecting and responding to an attack.”

“AI can play a crucial role here by analyzing vast amounts of data in real-time and identifying patterns indicative of a threat. CrowdStrike’s Falcon platform is an excellent example of how AI can be used not only to detect attacks but also to automatically respond and prevent further damage. This kind of technology is indispensable in the fight against modern cyber threats.”

My advice for businesses

Based on the findings in the report and my own field experiences, here are some recommendations I would like to offer to businesses looking to enhance their security:

  1. Keep learning and adapting: The world of cybersecurity is constantly changing. Stay informed about the latest trends and techniques, and ensure that your security strategy aligns with them.
  2. Invest in proactive threat hunting: Don’t wait for an attack to occur before taking action. Ensure that you have a team constantly searching for potential threats, both inside and outside the network.
  3. Utilize AI and Machine Learning: Traditional security systems often fall short when it comes to detecting today’s complex attacks. Invest in AI-driven solutions that can recognize patterns and respond quickly to suspicious activities.
  4. Manage access strictly: Insider threats are a serious danger. Ensure you have strict access controls in place and continuously monitor who has access to which systems and data.
  5. Monitor cloud environments closely: With the shift to cloud computing, it is essential to have a clear view of what is happening in your cloud environments. Attackers are increasingly targeting these areas, so make sure your cloud security is robust.

In short…

“The CrowdStrike 2024 Threat Hunting Report provides valuable insights into the modern threat landscape and confirms much of what we already know: threats are becoming more complex, attacks more sophisticated, and response times shorter. As a Cyber Security Specialist, it is clear to me that the future of security lies in a proactive, intelligence-based approach, supported by the power of AI. By combining these approaches, we can ensure that our organizations are not only protected against today’s threats but also prepared for the challenges of tomorrow.”

“Let’s work together towards a safer digital future!”

“Do you have questions or want to learn more about how to better secure your organization? Feel free to reach out via my LinkedIn profile!”

~ Marcel Krommenhoek

Lees meer

Cyber Security Trends for 2024: Why Zero Trust and AI Keep Your Business Safe

Geplaatst op: 12 September 2024

cyber security trends 2024

It’s no secret that the world of cybersecurity is constantly evolving. Businesses face new challenges and threats daily, making it essential to stay updated with the latest trends. Two technologies dominating the conversation this year are Zero Trust and Artificial Intelligence (AI). But what do they really mean for your business? Let’s take a closer look at these trends and what they could mean for you.

The transition to Zero Trust

When we talk about Zero Trust, we’re not just referring to a new tool or buzzword. It represents a fundamental shift in how we approach security. The traditional model, where companies relied on perimeter-based security, has seen its day. This approach, which was once enough to keep threats out, now falls short in the era of cloud computing and remote work.

Why is Zero Trust so important?

  1. Security for a decentralized world: In an era where employees can work from anywhere at any time, it’s crucial to ensure they have secure access to the resources they need, without the risk of unauthorized access.
  2. Protection against internal threats: Not all threats come from the outside. Sometimes internal actors, whether intentional or not, pose a significant risk. Zero Trust ensures that no one, not even internal users, has access to more than they need.
  3. Flexibility and scalability: As businesses grow and evolve, Zero Trust offers a flexible approach that can easily be adapted to changing business needs.

The impact of AI on security

AI is not just a buzzword in the world of cybersecurity; it’s a game-changer. Traditional security systems are often reactive, meaning they respond only once an attack is already underway. AI changes this by enabling a proactive approach, where threats are detected and neutralized before they can strike.

How does AI make a difference?

  1. Forward-thinking with predictive analytics: Imagine being able to predict where the next attack will come from. AI makes this possible by analyzing patterns in data and identifying potential threats before they occur.
  2. Faster response times: When an attack occurs, time is of the essence. AI can respond instantly, neutralize threats, and prevent further damage.
  3. Integration with existing systems: AI does not work in isolation. It is increasingly integrated with existing security systems, creating a seamless defense that is both broad and deep.

What do these trends mean for your business?

For businesses, the integration of Zero Trust and AI brings several tangible benefits. Firstly, it means better protection against today’s increasingly complex threats. But it also means that your company can respond more flexibly to changes in the market and technology.

Take, for example, a company that is rapidly growing and hiring new employees. With a traditional security approach, it could take months to securely onboard everyone onto the right systems. However, with Zero Trust and AI, this process can be much faster and more secure.

Additionally, AI gives you the ability to identify threats that you might otherwise overlook. This means you’re not only protecting your data but also safeguarding your reputation and business continuity.

In short…

Zero Trust and AI are essential tools for businesses that want to survive and thrive in an ever-changing digital world. By embracing these technologies, you can ensure that your company remains secure and is also prepared for the challenges of tomorrow. It’s time to think about the future of your business security and take the necessary steps to secure that future.

Lees meer

The NIST ‘Recover’ Domain – The importance of a good Disaster Recovery Plan

Geplaatst op: 29 August 2024

Last month was another one of those days, there was a global disruption caused by a bug in software. Unfortunately, the error turned out to be so severe that Windows machines went into a blue-screen of death (BOSD). So even though CrowdStrike had fixed the issue within 90 minutes and stopped pushing the faulty update, the damage had been done. I sympathise with the IT departments that had to deal with this as this must have caused massive chaos. This incident, where problems with CrowdStrike security software led to computer system failures worldwide, highlights the need for a robust Disaster Recovery (DR) plan. This article discusses the importance of a good DR plan and highlights the essential steps: inventory, plan, test, learn and repeat.

Inventory: understand what you need to protect

The first step in creating an effective DR plan is taking an inventory. This involves making a complete and detailed list of all critical IT assets within your organization.

This includes servers, network equipment, software applications, data storage and even physical locations. Understanding which systems and data are critical to your core processes helps prioritize protection measures, as well as develop a plan.

When taking inventory, it is important to also identify dependencies between systems. This means understanding how different components of your IT infrastructure are connected and how a failure in one system can impact other systems. It’s advisable here to look especially at the organization’s core processes and, from that perspective, determine how to get these processes back up and running when things go wrong.

Plan: develop a strategic DR plan

With a thorough inventory, you can move on to the planning phase. A strategic DR plan should include clear procedures for different disaster scenarios, such as natural disasters, cyber attacks, hardware failures and human error. It is essential to assign specific responsibilities to team members and ensure that everyone knows what is expected of them in case of an emergency.

A good DR plan also includes a communication plan. This plan should describe how to communicate internally and externally during and after a disaster. The CrowdStrike incident highlights the importance of transparent communication to prevent panic and keep customers and partners informed of the recovery measures taken.

Test: ensure regular exercises

A DR plan is only as effective as the testing you do. Regular tests are crucial to verify that your plan works in practice. This can range from tabletop exercises, where you theoretically walk through disaster scenarios, to full-scale tests where you assess the operation of your DR plan in a realistic situation.

Testing your DR plan helps identify weaknesses and potential bottlenecks. By uncovering these problems before a real disaster strikes, you can ensure that your plan remains up-to-date and effective.

Learn: draw lessons from every incident

After every test or actual disaster, it’s important to carry out an evaluation and learn from the experience. This process includes analyzing what went well, what did not go well and what improvements can be made. Learning from incidents and tests helps to continuously improve and adapt your DR plan to new threats and technologies.

Repeat: continuous improvement and updating

Developing a DR plan is not a one-off task. It is an ongoing process that needs to be repeated and updated regularly. Technologies evolve, new threats emerge and business needs change. By regularly reviewing and updating your DR plan, you can ensure that you are always prepared for the latest challenges.

The CrowdStrike incident highlights how vulnerable even the most sophisticated IT systems can be and how important it is to have a robust and up-to-date DR plan. By taking inventory, planning, testing, learning and repeating, you can minimize the impact of disasters and ensure the continuity of your business processes. The IT chain is only as strong as its weakest link!

Of course, it is good to keep in mind that despite CrowdStrike causing this catarostrophic incident, they still prevented more downtime for customers than they caused.

OpenSight Back To School Series

During the OpenSight Back To School Series, we publish weekly blogs diving deeper into the five NIST Security Domains:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

By implementing the measures associated with these domains, you can reduce the likelihood of cyber attacks and the impact of potential incidents.

Lees meer

The NIST ‘Respond’ Domain – learning to respond effectively

Geplaatst op: 27 August 2024

In the world of cybersecurity, it’s crucial not only to know how to prevent an attack but also how to respond effectively when something does go wrong. The NIST (National Institute of Standards and Technology) Cybersecurity Framework offers a structured approach for organizations to enhance their cybersecurity. One of the key components of this framework is the ‘Respond’ domain. In this blog, we discuss the main aspects of this domain, including Response Planning, the 24/7 Security Operations Center (SOC), Cyber Security Incident Response Team (CSIRT), Security Orchestration, Automation, and Response (SOAR), and Incident Management Tools.

Response Planning: expecting the unexpected

In our previous NIST blogs, the topic of Response Planning frequently came up as a suggestion for implementation. In this blog, we’ll dive deeper into what Response Planning actually entails and why it is so important. Response planning is the backbone of an effective response strategy. It involves developing and implementing a plan that includes procedures and protocols to ensure that every team member knows what to do in the event of an incident. This guarantees less panic when something does go wrong.

How can you effectively apply Response Planning in your organization?

  • Develop a Dynamic Plan: Ensure that your response plan is flexible enough to accommodate changes when new threats or technologies emerge. This means regular updates and reviews.
  • Train Your Team: Practice makes perfect! Regular drills and simulations of incidents ensure that everyone on the team knows their role during a real incident.
  • Communicatie is Key: Have a clear communication plan that describes how information will be shared during an incident, both internally and externally.
The NIST Domain - Detect page

24/7 SOC: The digital night watch

A Security Operations Center (SOC) is a central unit or team within an organization responsible for monitoring, detecting, and responding to security incidents around the clock. They keep an eye on everything that’s happening and if something suspicious comes up, they are quick to respond.

How to implement a SOC successfully?

  • Assemble a Team: Gather a team of experienced security experts responsible for monitoring and responding to security incidents. This can be an internal team or an outsourced one.
  • 24/7 Monitoring: Ensure that there is always someone on duty. Threats don’t adhere to office hours. Have a robust schedule so your SOC is always staffed, including weekends and holidays, without overburdening your team.
  • Use Smart Tools: Automated monitoring tools can help your SOC team work faster and more efficiently.
  • Quick Escalation Protocols: Ensure the SOC team has clear protocols for escalation when a critical threat is detected.

CSIRT: “The A-Team” of cyber incidents

The Cyber Security Incident Response Team (CSIRT) is your first line of defense when things go south. This team is there to jump into action, minimize damage, and get your organization back on track. Essentially, a CSIRT is like a fire brigade, but for cybersecurity.

Tips for establishing and deploying a CSIRT within your organization:

  • Create a Multidisciplinary Team: Ensure a mix of different experts—from IT to legal—so that all aspects are covered. Like a SOC, a CSIRT doesn’t have to be entirely internal; it can also include external experts. However, ensure clear role distribution. Everyone should know who is in charge during an incident and who is responsible for what task.
  • Quick Decision-Making: A good incident triage ensures that the most critical threats are dealt with first.
  • Evaluation and Feedback: Conduct thorough evaluation and feedback sessions to identify lessons learned and improve processes.

SOAR: Smarter responses

SOAR (Security Orchestration, Automation, and Response) includes all the tools that make your cybersecurity much more efficient. It automates many of the time-consuming tasks and allows your team to focus on the really important matters. Less time wasted, faster responses—that’s what SOAR is all about.

4 tips for successful SOAR implementation

  • Automate Repetitive Tasks: Let SOAR handle tasks like log analysis and incident classification, so your team can focus on more complex issues.
  • Develop Playbooks: Create standard procedures for common incidents to ensure quick responses.
  • Integrate with Existing Tools: Make sure your SOAR platform integrates with your existing security tools, like SIEM systems, for a seamless workflow.
  • Alerts and Notifications: Set up alerts for critical events in SOAR, so relevant teams are immediately informed.

Incident Management Tools: The toolbox for cyber incidents

Incident management helps you keep everything organized, from the initial incident report to the final resolution. These tools help teams work in an organized and efficient manner, especially when multiple incidents need to be managed simultaneously. With the right tools, you can coordinate the entire incident response without causing panic.

How to effectively use Incident Management Tools?

  • Choose the right tools: Select incident management tools that fit the size and needs of your organization. They should be scalable and capable of handling different types of incidents.
  • Integration with their systems: Ensure that your incident management tools integrate seamlessly with your SOC, SIEM, and other security systems.
  • Incident logging: Record every incident in detail, including timestamps, affected systems, and actions taken, for future reference.
  • Automate Workflows: Use the tools to automate as many workflows as possible, from incident detection to reporting.

In short…

The NIST ‘Respond’ domain is crucial for reacting calmly, organized, and effectively to cyber threats. By focusing on response planning, having a 24/7 SOC, a sharp CSIRT, and utilizing SOAR and incident management tools, your organization can better prepare for and respond to cyber threats. This not only helps to minimize damage but also to maintain the trust of stakeholders during times of crisis.

Do you have questions about this blog or need help implementing the Respond domain? Feel free to contact us; we at OpenSight are at your disposal!

OpenSight Back To School Series

During the OpenSight Back To School Series, we publish weekly blogs diving deeper into the five NIST Security Domains:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

By implementing the measures associated with these domains, you can reduce the likelihood of cyber attacks and the impact of potential incidents.

Lees meer

The NIST ‘Detect’ Domain – The importance of effective detection in cybersecurity

Geplaatst op: 27 August 2024

Today, we’re diving into the ‘detect’ domain of NIST. This part can get pretty technical, but it’s absolutely crucial for your organization’s cybersecurity. We’ll take a look at the key components of this domain: Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Identity Detection and Response (IDR), and the Security Operations Centre (SOC).

Intrusion Detection Systems (IDS) – The digital guard dog

An Intrusion Detection System (IDS) is a security system used to detect unauthorized access to a computer or network resource. Think of IDS as a guard dog, but digital and without the fur. When it spots suspicious behavior, it alerts you. IDS is essential for maintaining integrity and protecting your data.

3 tips for successfully implementing IDS:

  • Choose the Right IDS: Decide between a Network-based IDS (NIDS) or Host-based IDS (HIDS) depending on what works best for your organization. NIDS monitors network traffic, while HIDS watches over activities on individual devices.
  • Configuration and Tuning: Set up your IDS to match your network traffic. Avoid false positives by adjusting rules and filters to fit your specific needs.
  • Keep Your IDS Updated: Always keep your IDS up-to-date so it can detect the latest digital intrusion techniques.
The NIST Domain - Detect page

Security Information en Event Management (SIEM) – Het brein achter cyber security

Security Information and Event Management, or SIEM, collects and analyzes security data from various sources like your IDS, firewalls, and other security systems. It can spot patterns that indicate an attack and alert you right away. SIEM is a crucial addition to IDS.

Tips for effectively using SIEM in your organization:

  • Define your Objectives: Decide what you want to achieve with SIEM, such as complying with regulations, enhancing security, or quickly detecting incidents. This also involves identifying and inventorying your organization’s digital crown jewels.
  • Choose the right software: The right SIEM software helps you detect security threats by combining information from different sources. When choosing the right software, consider the cost, ease of use, and the reliability of both the software and the vendor.
  • Integrate data sources: Make sure your SIEM system collects data from all relevant sources, including firewalls, IDS, antivirus software, and network devices.
  • Start Small: Begin with a basic setup to avoid information overload and unnecessary data consumption. Connect only the components that are relevant to security monitoring.

Endpoint Detection and Response (EDR) – The personal bodygoard for your devices

Endpoint Detection and Response, or EDR, is another type of alarm system. Think of EDR as a personal bodyguard for all your devices, like your laptop, smartphone, and tablet. EDR watches these devices, detects suspicious activities, and responds quickly to stop threats. EDR goes beyond traditional antivirus software by monitoring suspicious activities on each endpoint in real-time. Imagine your phone suddenly starts sending strange messages; EDR would immediately notice and take action to prevent anything bad from happening.

Tips for using EDR in your organization:

  • Choose a Reliable EDR Solution: Select an EDR tool that suits your organization and is compatible with all the devices you use. Look for features like real-time monitoring, threat intelligence, and response capabilities.
  • Test the EDR Tool: Make sure the EDR tool works well and doesn’t conflict with existing software by running a test first. This also helps you see if it’s user-friendly and whether your team handles it well.
  • Integrate with SIEM: Connect the EDR solution to your SIEM system to gain better insight into security incidents and respond to threats more quickly.
  • Regular Reviews: Regularly assess the effectiveness of your EDR solution. Analyze incidents, adjust detection rules, and optimize the system to handle new threats.
  • Frequent Reporting: Use the reporting features of the EDR solution to keep management updated regularly and evaluate the effectiveness of your security measures.

Identity Detection and Response (IDR) – Keeping an eye on access

Identity Detection and Response (IDR) focuses specifically on identities within your network. It’s less about systems and more about people. IDR ensures that only the right people have access to certain data and applications. It monitors suspicious login attempts and responds quickly to prevent unauthorized access. If someone tries to guess your password, IDR will catch this and make sure your account stays safe.

Things to Keep in Mind When Implementing IDR:

  • Choose the Right IDR Tool: Figure out what you want to achieve with IDR and where your needs and risks lie. Then select an IDR solution that integrates well with your existing Identity and Access Management (IAM) and other security tools like SIEM and EDR.
  • Implement a Response Plan: Create an incident response plan for identity-related incidents. This should include steps like isolating suspicious accounts and recovery actions.
  • Consider Legal and Regulatory Requirements: Ensure that your IDR solution complies with relevant regulations and standards, such as GDPR or other industry-specific requirements.

Security Operations Centre (SOC) – The digital command centre

The Security Operations Centre, or SOC, is the last acronym we’ll cover in this blog. SOC is the nerve center of your security. The SOC team consists of experts who monitor your network 24/7, analyze threats, and respond to security incidents. Think of it as a command center where everything comes together. If something goes wrong, the SOC ensures a quick and effective response to minimize damage.

How to Effectively Use SOC in Your Organization:

  • SOC Team: Assemble a team of experienced security experts responsible for monitoring and responding to security incidents. This can be an in-house or outsourced team. These security experts work together to maintain a 24/7 alert monitoring system.
  • Advanced Tools: Implement advanced monitoring and analysis tools like SIEM, EDR, and threat intelligence platforms to support and enhance the SOC.
  • Drills and Simulations: Regularly conduct incident response drills and simulations to prepare your SOC team for real threats.

In short…

The “Detect” domain of NIST may be technical and full of acronyms, it’s an indispensable domain for the cybersecurity of any organization. We’ve looked at IDS, SIEM, EDR, IDR, and SOC. Each of these components plays a crucial role in detecting and responding to security threats. Together, they ensure that your network and data remain secure, even in a world full of cyber threats.

If you have any questions or comments after reading this blog, or if you need help implementing the right tools and systems, feel free to contact us. We at OpenSight are happy to help!

OpenSight Back To School Series

During the OpenSight Back To School Series, we publish weekly blogs diving deeper into the five NIST Security Domains:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

By implementing the measures associated with these domains, you can reduce the likelihood of cyber attacks and the impact of potential incidents.

Lees meer

Bellen
Mailen