Incident Prevention, Incident Isolation and Response2021-04-26T20:31:20-04:00

Regardless of your company’s size, from an attacker’s perspective, you have financial resources or can be a conduit to another organization’s funds. Today’s average attack is often part of an advanced persistent threat (APT) that has been in a compromised environment for 200+ days. This is an Information Security risk which needs to be addressed in a proactive manner. Information Security is a process that moves through phases building and strengthning itself along the way. Security is a journey not a destination. Although Information Security has many strategies and activities, we can group them all into three distinct phases – incident prevention, detection, and response.

Each phase requiring strategies and activities that will move the process to the next phase. The dynamic growth of new threats attaching vulnerabilities requires timely adjustments to the methodologies in incident prevention, detection, and response cycle. A change in one phase affects the entire process. A proactive strategy adjustment in the incident prevention phase will adjust the detection and response activities. Lessons learned during the response phase will be addressed in the planning of incident prevention measures and detection configurations. Each phase must be designed with adequate capabilities and management oversight to ensure that each phase contributes the requisite weighted amount in the reduction of risk from cyber threats to the organization. Such is the case with the DRS I𝜋&r managed service.

DRS coined the term I𝜋&r, which stands for (I)ncident (P)revention (I)ncident (I)dentification and (R)esponse (IPii&r) recast as I𝜋&r. Why introduce another acronym in an overcrowded field? Because our service is deeper than MDR and more continuous and affordable than IR. As such, a new way requires a new name: I𝜋&r.

Incident Prevention, Incident Identification,
and Response I𝜋&r

A proactive approach to prevention, isolation, and response to keep environments compromise-free and isolate threats, preventing legal, reputation, financial and data losses. Putting I𝜋&r in place with good endpoint protection achieves a highly protected environment.

HOW WE DO IT

Overlay the Six Sigma DMAIC process on the incident response lifecycle and focus on incident prevention first and foremost.

Traditional Incident Response

  • YOU recognize YOU have a problem
  • YOU must trigger YOUR incident response plan, incurring downtime, loss of revenue and significant expenses
  • Incident response team deploys remediation tools POST exploitation, REACTIVELY establishing baselines, discovering anomalies, and isolating effected hosts
  • Process is extremely time consuming. In fact, it can take 3-4 months, enabling the threat(s) to rapidly increase via lateral movements.

The Six Sigma Approach

  • Six Sigma centers around the DMAIC process (Define, Measure, Analyze, Improve, Control)
  • PROACTIVELY deploy relevant tools to define operating baselines via habitual environment sampling of what is normal in the environment
  • PROACTIVELY measure the results against pre-defined baselines to identify potential threats
  • PROACTIVELY analyze apps, user accounts, memory, yara scan, and all activity via our proactively deployed solution(s). Once analyzed, compare against the baseline to identify anomalies
  • PROACTIVELY improve your security posture by isolating impacted hosts
  • PROACTIVELY inject control measures to prevent the attack from returning
Six Sigma relies on statistical process controls to ensure uniformity across the environment. In this instance, uniformity in the beginning is about ensuring a compromise-free environment.

The very first step is to baseline the existing environment across all compute assets by:

  • developing thorough compromise assessments by identifying appropriate endpoints, workstations and servers and utilizing the agentless technology of Infocyte™ to look for signs of compromise and artifacts of unauthorized activity with zero operational impact. Additionally, our solution looks at operating system configurations and searches volatile memory to detect signs of manipulation that could indicate hidden rootkit activity or signs of compromise. When suspicious executables are found, we use multiple 3rd party anti-malware and detection engines plus proprietary malware analysis on the backend to identify unknown “zero-day” malware.
  • assuming breaches have occurred and systematically hunting the attackers, malware, and threats sophisticated enough to evade the world’s best defensive technologies, and equipping users with robust capabilities to verify that endpoints are “clean,” either regularly or on demand.

Once a clean baseline is established, we continuously monitor 100% of the critical compute assets and sample 25% of the non-critical compute assets across sub-nets in the environment on a quarter-over-quarter basis. Over a one-year period, 100% of the total compute assets have been evaluated on an ongoing basis. This statistical sampling of the environment has the following benefits for the client:

  • a better percentage of detected APTs in the environment before they’ve acted, allowing them to be isolated, made available for deep forensic analysis, and eradicated from the environment.
  • a fast and accurate process that does not affect on-going business operations.
  • a cost-effective solution. Where our competition may be charging upwards of $18-$20 per asset per month just for monitoring, DRS rates are fractional for the entire lifecycle, meaning that even small businesses of 10 employees or less can afford the service.
  • for clients with limited budgets, a great approach to cybersecurity is to utilize the DRS I𝜋&r service and combine it with NGAV like Cylance™ or, worst case, Windows Defender™.

We realize that there’s no such thing as 100% security. Should an evidence of compromise arise, we:

  • leverage independent and automated forensics-based analysis of physical and virtual environments with our DRS proprietary I𝜋&r cloud-based/assessment platform.
  • identify patient zero and respond to threats faster with automated timelining and triage using our Six Sigma based processes and tools.
  • create automated incident response actions and build custom extensions using our platform, if needed.
  • offer accurate and timely incident isolation response to remediate uncovered threats with our team of expert threat hunters, malware analysts and incident responders.

WHY IS THIS IMPORTANT?

Incident response is one of the most expensive cybersecurity offerings on the market, the primary reason being that insurance carriers for these firms carry the costs of remediation. To save money, many organizations assume that the protection they have against threats and their associated costs is sufficient. Unfortunately, that logic is faulty. Costs stemming from losses in reputation and revenues, fines and penalties from financial institutions, and legal costs to address the disclosure of personally identifiable information (PII) go way beyond what insurance carriers cover.

Your brand is your promise and we help keep that promise to your clients. Your reputation, their reputation and identities are safeguarded to the highest levels possible. Financial, reputational, and legal losses can be overwhelming and can materially cripple an organization. A great deal of focus on incident prevention with preparation can minimize risks and magnitude of exposure to such losses.

Any combination of cybersecurity technologies can’t prevent 100% of attacks, but we have a truly proactive approach to seek out adversaries and eliminate them: I𝜋&r. The current state of the cybersecurity industry with regard to MDR is reactive in nature, putting the “response” aspect at the forefront. When response is the focus, we essentially sit back and wait for a threat to occur, and then remediate only after the threat is identified. We simply do not operate this way at DRS.

Need OKTA Consulting or managed services?

WHY CHOOSE US?

WE’RE DRIVEN BY VALUE INNOVATION

We’ve developed strategic partnerships and vendor relationships with industry experts to offer world-class tools at exceptional rates. We’re constantly scanning the market to modernize our services, thus equipping our clients with comprehensive solutions and an infallible security posture. We render the competition irrelevant through value innovation, thus opening market opportunities that have historically been untapped.

WE LISTEN

Protecting all aspects of your business is our priority. Our dedicated staff will coordinate an exhaustive consultation process with your team to understand your unique requirements. From the conception phase to post-project support, we promise to deliver custom solutions to suit your needs, every step of the way!

WE’RE FLEXIBLE

Whether you require a turn-key solution or select services to address gaps with your in-house security team, we’ve got you covered! Our polyvalent approach is designed to improve your on-premise and cloud-based cybersecurity posture, around the clock, no matter the size of your company, infrastructure and budget.

WE’RE INTERNATIONAL

We have multiple teams readily available and are constantly expanding to new markets. Along with our head office in Columbus (US), we have experts in London (UK), Montréal (Canada) and Copenhagen (Denmark).

WE GIVE BACK

We support organizations that have a positive impact in their communities. We invest in philanthropic programs and rally around charitable work and causes that are important, because it’s part of our core values.

In recognition of their service to our country, Dark Rhino Security actively seeks to recruit and employ veterans throughout its workforce.  The brave service members who have served our nation’s interests deserve employment and academic opportunities, once their military service is at an end. We are very proud that almost 50% of our team have served our country

WE’RE QUALIFIED

Our team is highly certified and offers training. Because our field is constantly evolving, we prioritize ongoing education and invest in cutting-edge technologies to respond to emerging trends with razor-sharp precision. As a result, our skilled engineers can deliver in-depth cybersecurity training to professionals of all paths.

international teams available

WE’RE INTERNATIONAL

We have multiple teams readily available and are constantly expanding to new markets.

flexibility if turn-key solution required for in-house security team

WE’RE FLEXIBLE

Whether you require a turn-key solution or select services to address gaps with your in-house security team, we’ve got you covered!

qualified and certified cybersecurity team that offers training

WE’RE QUALIFIED

Our team is highly certified and offers training.

CASE STUDY

Client Success Story: How DRS Implemented a Robust IAM Solution with Minimal Operational Downtime

Client Success Story: How Dark Rhino Security Implemented a Robust IAM Solution on Complex Legacy Systems with Minimal Operational Downtime Our client, a major player in North American cross-border trade, has service locations at major gateways along the Canada-U.S. border, in addition to trusted logistics partners around the world. They help ensure on-time and cost-effective distribution of their customers’ goods and offer services to importers and exporters across the continent. They use real-time and innovative technology tools, web portals, and [...]

Go to Top