Cupertino, CA, June 20, 2022 – The United States-based CISA (Cybersecurity & Infrastructure Security Agency) just released a joint Cyber Security Advisory (CSA) with countries around the world to warn managed services providers (MSP) of increasing danger from cyber attacks. The advisory warns that malicious actors – including state sponsored threat groups – may attempt to exploit vulnerable MSPs in order to gain access to their customer’s data and business processes. Jens Bothe the Vice President for Information Security who monitors the IT security situation as the STORM SOAR software product owner at OTRS Group, agrees:
“Currently, it is not only the amount of security incidents in various consumer areas that have increased, but there are also increased attacks on the software and IT supply chains themselves. Most recently, it began with the Log4Shell vulnerability and went all the way through zero-day exploits at some IT vendors. Attackers are taking advantage of vulnerabilities within the software supply chain here, not directly and specifically targeting specific companies, but seeking to create damage through the proliferation and reuse of widely used software components.”
Reduce damage in the face of cyberattacks
In order to arm themselves in this increased threat situation, it is important for MSPs and companies – as recommended in the CSA – to review and further increase their security precautions. In doing so, it is important to not focus solely on averting danger, but also to prepare the necessary course of action in the event of a security incident and to support it with appropriate systems so that one can act quickly in the event of cyber attacks. This avoids unnecessary chaos in the event of a crisis and keeps the resulting damage is kept as low as possible. Systematic security incident management prepares companies and their employees in the best possible way to deal with security incidents. Powerful systems like STORM powered by OTRS support companies in this process.
Security Incident Response in 6 Steps
Automated processes help security incident teams to respond optimally to incidents. The basis for dealing with security incidents is the creation of a plan in which tasks and responsibilities are defined. In an incident response plan, all necessary actions are defined and responsibilities are clearly defined – the following phases are recommended for this purpose:
#1 Preparation: Provide incident management tools and processes
Based on proven best practices, all important phases are defined with an appropriate tool. This way, in the event of a security incident, the information required for a response can be gathered in a short time. Communication between all involved parties can be prepared and contact information made ready.
#2 Analysis & Identification: Decide whether a security incident has occurred
Analyzing data from log management systems, IDS/IPS, threat sharing systems, as well as firewall logs and network activity, helps classify security incidents. Once a threat is identified, it should be documented and communicated according to established policy.
#3 Containment: Contain spread and prevent further damage
Deciding which strategy to use plays the biggest role. The main question is what vulnerability allowed an intrusion to occur. Quick mitigation, such as isolating a network segment, is the first step in many incidents, after which forensic analysis is often sought for evaluation.
#4 Eradication: Close security gaps, eliminate malware
Once the potential threat is contained, the root cause of the security incident must be found. To do this, all malware should be securely removed, systems patched, updates applied, and software updated if necessary. So, systems should be brought up to the latest patch level and passwords should be assigned that meet all security requirements.
#5 Recovery: Reactivate systems and devices
To return to normal system operation, constant checks should be made to ensure that all systems are running as expected. This is ensured through testing and monitoring over an extended period of time. During this phase, the incident response team determines when operations will be restored and whether infected systems have been fully cleaned.
#6 Lessons Learned: Clarify what went well and what didn’t
After Phase 5, a wrap-up meeting should be held with all parties involved. Here, open questions should be clarified and the security incident should be finally closed. With the insights gained from this exchange, improvements for future incidents can be identified and defined.
STORM powered by OTRS is security incident management software that supports the orchestration and automation of security incidents. It automates all processes, from warning to response, and ensures that all people, tools and services involved can work together for rapid security incident management in the company.
About OTRS Group
OTRS Group is the manufacturer and the world’s largest provider of the enterprise service management suite OTRS, awarded with the SERVIEW CERTIFIED TOOL seal of approval.
It offers companies industry-independent solutions for structured communication in customer service, IT service management and security management. In addition to the core product OTRS, the security solutions STORM and CONTROL ensure efficient cybersecurity incident management and transparent documentation in accordance with standards such as ISO 27001.
Among its customers are Lufthansa, Airbus, Porsche, BSI (Federal Office for Security in Information Technology), Max Planck Institute, Toyota and TUI Cruises. The company consists of OTRS AG and its five subsidiaries OTRS Inc. (USA), OTRS S.A. de C.V. (Mexico), OTRS Asia Pte. Ltd. (Singapore), OTRS do Brasil Soluções Ltda. (Brazil) and OTRS Magyarország Kft. (Hungary). OTRS AG is listed on the basic board of the Frankfurt Stock Exchange. For more information, see www.otrs.com.