Incident Response
![](https://www.swimage.com/wp-content/uploads/2022/11/Incident-Response-S.png)
In today’s world, it’s not a matter of if your company is going to be attacked, but when.
Dealing with a sophisticated cybersecurity attack is a daunting task, even for large organizations with a high level of maturity. A strong incident response capability significantly reduces the damage caused to an organization when catastrophe strikes. Swimage performs various activities in the four stages of incident response.
Incident Response Stages
![](https://www.swimage.com/wp-content/uploads/2022/11/Incidents-Swimage-4-Icons-1.png)
![](https://www.swimage.com/wp-content/uploads/2022/11/Incidents-Swimage-Preparation-Icon.png)
Preparation
Swimage activities in the Preparation stage:
- Instrumenting the environment with tools to listen for triggers of suspicious and malicious activity
- Establishing baseline systems; understanding “normal” activity so defenders can identify deviations
- Developing and testing courses of action (COAs) for containment and eradication
- Establishing means for collecting digital forensics and other data or evidence
![](https://www.swimage.com/wp-content/uploads/2022/11/Incidents-Swimage-Detection-Icon.png)
Detection & Analysis
Swimage activities in the Detection & Analysis stage:
- Safeguarding agents on endpoints; automatically healing any compromised agent
- Monitoring, detecting, and alerting on anomalous and suspicious activity on known-good data sources
- Collecting and preserving data from affected endpoints for incident verification, categorization, prioritization, mitigation, reporting, and attribution
- Capturing a memory and disk image for evidence preservation
![](https://www.swimage.com/wp-content/uploads/2022/11/Incidents-Swimage-Containment-Icon.png)
Containment, Eradication, & Recovery
Swimage activities in the Containment, Eradication, & Recovery stage:
- Isolating impacted systems from each other and/or from non-impacted systems and networks
- Updating firewall filtering; blocking of unauthorized accesses; blocking malware sources
- Closing specific ports and mail servers or other relevant servers and services
- Changing system admin passwords, rotating private keys
- Rebuilding affected systems from ‘known-good’ sources; eliminating rootkits; installing patches
- Reconnecting rebuilt/new systems to networks, tightening perimeter security (e.g., firewall rulesets)
- Restoring systems to normal operations (e.g., put applications and data back in place)
![](https://www.swimage.com/wp-content/uploads/2022/11/Incidents-Swimage-Post-Incident-Icon.png)
Post-Incident Activity
Swimage activities in the Post-Incident Activity stage:
- Creating rule sets based on lessons learned from the previous incident
- Enforcing appropriate triggers and actions based on lessons learned from the previous incident
- Creating collections based on most vulnerable groups
- Applying enforcement of the rule sets to the collections
Learn more about Swimage business continuity and disaster recovery