March 3, 2022by Delilah Schwartz

Is Your Security Response Team Working in OR or ER Mode?

Security teams aim to anticipate and counteract cyber threats before they can manifest themselves in an attack against their organization. Most of all, SOC teams want to avoid a situation where multiple urgent threats need to be managed and remediated at the same time. A useful analogy to understand how organizations progress in their ability to respond to cyber threats is to consider the difference between the emergency room (ER) and the operating room (OR) in a hospital. The ER’s function is to provide initial medical or surgical treatment to patients in need of immediate care, such as in the event of an injury or sudden illness. The efforts of the ER team are focused on reacting quickly and returning the patient to a stable condition. However, if careful examination of the patient reveals an underlying cause of their health issues, the OR then steps in to provide specialized care to remedy that condition.

Organizations in the early stages of their cybersecurity programs generally tend to manage their security responses in a manner similar to that of an ER - trying to cure the “patient” from the immediate threat, and metaphorically “stop the bleeding”. This type of reaction is characteristic of companies who have only just begun the process of building a robust and effective cyber defensive program. However, just as emergency rooms on their own are not an effective long-term solution to a population’s ongoing healthcare needs, reactive methods of addressing cyber threats are not sustainable nor scalable in the long-term. Moving forward to a more proactive, OR-like phase of cyber-defense is critical for organizations that require broader and deeper insight into the security threats endangering  their assets. This foresight enables security teams to act preemptively, counteracting risk before it materializes into an urgent threat.

There is one crucial point to keep in mind: the ER equivalent of reacting to the emergency in security operations remains critical, even if it represents “early-stage” maturity. Unfortunately, there is no “set and forget” level to maintain organizational cyber security. Security teams must continually improve and evolve through all stages of the cyber kill chain, just as cybercriminals continually improve their own tactics, techniques, and methods of attack.

The ER Equivalent: Digital Risk Protection Services

Broadly speaking, Digital Risk Protection Services (DRPS) constitute the emergency room level of response to cyberthreats. Intended to preserve business resilience, these platforms are designed to detect and respond to digital threats, and eventually, predict and prevent them. This analogy is not absolute, as DRPS retains a significant role throughout the maturity of an organization’s cyber security responses. Still, at the primary level, these services are tactical, not strategic. Gartner has identified the most common use-cases for DRPS, as shown in the diagram below.

The OR Equivalent

We can draw similar parallels between Threat Intelligence and the OR stage of medical care. Threat Intelligence is employed to inform a proactive response to cyber threats, rather than an immediate and reactive response to urgent threats. By leveraging the information gained from previous attacks, organizations develop playbooks for managing risk - and protect themselves accordingly. This provides deeper insight into the organizational threatscape, allowing security teams to protect their assets and reduce the overall attack surface, integrating DRPS information into a consolidated security orchestration, automation and response (SOAR) strategy. Threat Intelligence and the DRPS services market overlap can be seen in the Venn Diagram below.

Let’s Talk About Preventive Care

What about the concept of preventive care - a set of recommended actions fundamental to ensuring good health? Ideally, you want your organization to eliminate any exposure to cyberattacks in the first place, ensuring that all employees follow essential preventative actions, just as a dermatologist would advise patients to use sunscreen. Although the link between sun and cancer seems obvious today, it is a relatively recent discovery, reached through extensive scientific research. Similarly, the tactics cybercriminals use to exfiltrate data have not always been well understood. Only recently, when clear patterns began to emerge in cybercriminal tactics and methodologies, have we been able to delineate and apply  appropriate cybersecurity preventative care measures.

As awareness of potential threat vectors grows within an organization, the preventative countermeasures, like not opening suspicious emails, become second nature. To sum up, your organization should absolutely embrace the best practices for cybersecurity preventative care. But it is important to remain vigilant, recognizing that such measures must constantly adapt and evolve, as both the threats themselves and threat intelligence as a practice continue to evolve in the future.

Find out how Cybersixgill can help organizations advance to full cybersecurity readiness. Get the report.

You may also like

SANS Report Blog-Thumbnail

July 18, 2024

SANS CTI Survey 2024: Reports Rise to the Top for Communicating Critical Information

Read more
Analyst looking at multiple monitors

July 11, 2024

Chinese APT40 Hackers Hijack SOHO Routers: Unleashing Cyber Espionage Attacks

Read more
Abstract digital landscape with flowing lines of glowing binary code in blue and orange, representing data streams and modern technology.

July 08, 2024

CVE-204-6387 Poses Risk to Organizations Relying on OpenSSH’s Server (sshd)

Read more