How does incident response work?

April 22, 2021

Welcome to week 5 of our Milton Q&A! This week we are answering the question:

“How does incident response work?”

Here at Milton Security we are able to support you through all phases of security incident response, from preparation to detection & analysis and on through containment, eradication and recovery. In fact, as a Managed Detection and Response service provider, the first phases are right there at the heart of what we do. You are partnering with us to get prepared, to be able to detect the bad thing happening and be able to analyze what it is and how to respond.

It’s really the containment, eradication, and recovery phases that we are talking about when we say incident response in our context. When we see something bad happening in your systems, we immediately alert you with the suspicious activity and provide some next steps that you can take to determine if this is a real problem or a false positive. And then our SOC analysts work through that process with you, in real time, direct communication, to determine if this is an incident.

Once the incident is declared, we help you through the containment and eradication phases directly. We have two different levels of Incident Response and we can bring in one, or both, of them as needed. First is the Milton Incident Response Team (MIRT), which consists of a cybersecurity incident manager, incident response analysts, and SOC team members as needed. In the event that more than remote support is required, we have Milton Security’s Expert Services that can provide an onsite Computer Security Incident Response Team (CSIRT) for you. Or the individual pieces that you are missing. Perhaps you just need a computer forensics specialist …. We have one for you.

The team goes to work, in collaboration with your team, to determine the complete scope of the incident and help you to create a containment strategy. The SOC is right there with them monitoring as that strategy goes in place to ensure that it is successful.

Once contained, eradication is next and our teams are prepared to provide you with the best approach to eradicate the threat. In the event that you need direct, onsite support, then the MIRT and Expert Services CSIRT can provide that, as well. The key here is that you are working in conjunction with our folks and we are acting as a cohesive team, rather than two separate entities. And finally, during recovery we are here to explore all of the event data and determine root causes and create plans to prevent re-occurrence.

The bottom line is that we become an extension of your Security Operations capabilities. As threat hunters, as security analysts, and as incident responders.

I’d love to hear from you with ideas about how we can do this better or support your organization, large or small, through a security incident.