Incident Response





In today’s world, it’s not a matter of if your company is going to be attacked, but when.

Dealing with a sophisticated cybersecurity attack is a daunting task, even for large organizations with a high level of maturity. A strong incident response capability significantly reduces the damage caused to an organization when catastrophe strikes. Swimage performs various activities in the four stages of incident response.


Incident Response Stages

Preparation

Swimage activities in the Preparation stage:

  • Instrumenting the environment with tools to listen for triggers of suspicious and malicious activity
  • Establishing baseline systems; understanding “normal” activity so defenders can identify deviations
  • Developing and testing courses of action (COAs) for containment and eradication
  • Establishing means for collecting digital forensics and other data or evidence

Detection & Analysis

Swimage activities in the Detection & Analysis stage:

  • Safeguarding agents on endpoints; automatically healing any compromised agent
  • Monitoring, detecting, and alerting on anomalous and suspicious activity on known-good data sources
  • Collecting and preserving data from affected endpoints for incident verification, categorization, prioritization, mitigation, reporting, and attribution
  • Capturing a memory and disk image for evidence preservation

Containment, Eradication, & Recovery

Swimage activities in the Containment, Eradication, & Recovery stage:

  • Isolating impacted systems from each other and/or from non-impacted systems and networks
  • Updating firewall filtering; blocking of unauthorized accesses; blocking malware sources
  • Closing specific ports and mail servers or other relevant servers and services
  • Changing system admin passwords, rotating private keys
  • Rebuilding affected systems from ‘known-good’ sources; eliminating rootkits; installing patches
  • Reconnecting rebuilt/new systems to networks, tightening perimeter security (e.g., firewall rulesets)
  • Restoring systems to normal operations (e.g., put applications and data back in place)

Post-Incident Activity

Swimage activities in the Post-Incident Activity stage:

  • Creating rule sets based on lessons learned from the previous incident
  • Enforcing appropriate triggers and actions based on lessons learned from the previous incident
  • Creating collections based on most vulnerable groups
  • Applying enforcement of the rule sets to the collections

Learn more about Swimage business continuity and disaster recovery