When disaster strikes in the form of a data breach or hack, documentation is likely the last thing on your mind. However, taking the time to know how a threat unfolded is not only important to future prevention but also helps stop your current disaster in its tracks.
Defining the timeline
If you thought binge watching CSI was a waste of time, think again. Understanding how to track and document a timeline is an important step in incident management. In doing this though, you don’t necessarily follow the paper trail. Instead, you follow the “digital exhaust” that is created every time someone—or something—has an interaction with your network. This helps you scope the incident so you can contain and remediate it quickly while also providing a briefing tool to explain what happened.
There are several ways to document events: You can do interviews with employees who work both directly and indirectly where the incident occurred. Understanding from their perspective what happened in the technology, as well as the actions they took, will help you map how information and activities were flowing through your company at the time of the incident. You can also review security logs to help match what the system is saying with what your people are reporting. The only problem with this approach is that it can be laborious and time-consuming—when you want to act as quickly as possible to handle the incident.
Managing an incident in real time
When you’re under attack, the time it takes for you to respond could make or break your business. So while mapping the digital exhaust is important, it also needs to be done quickly and accurately. Speed and accuracy can often be at odds with each other. However, certain solutions have effectively married the two to help users see real-time snapshots of all activity within a network. For example, LanScope Cat by Interfocus provides a user-friendly dashboard that tracks all user-focused activities, such as:
- when they accessed a website,
- how many times they opened email,
- what application they used,
- which website they downloaded the file from,
- when a malware protection product quarantined the file, and
- even when a malicious process started to encrypt their local files.
Looking at this kind of activity gets you the same information as user interviews and security logs, but without the tediousness or human error.
Identifying your weaknesses
Here’s a real-file example: An Interfocus client in the financial industry struggled to protect their network from malware attacks and infections. The team could detect and quarantine a problem, but they couldn’t prevent it from returning. To make matters worse, interviewing users hadn’t uncovered anything useful or suspicious. When LanScope Cat arrived on the scene, it gave them a detailed snapshot of all activity at any given time. They were able to pinpoint that one particular website was the point of entry, and then they created a policy that blocked the website and prevented future exposure.
With LanScope Cat, they slammed the door shut into their company. And they created a policy that will help users understand their own activity is critical in keeping both their business and their reputation safe.