Understanding the Costs of Incident Response: Proper Security Controls

To round out our series on Understanding the Costs of Incident Response, we will discuss the impact proper security controls can have on both the frequency and severity of cyber incidents. In our first blog, we looked at two organizations: one, a typical ransomware victim with legacy or absent controls deployed; and the other, a well-prepared peer with modern, thoroughly deployed controls. In these two scenarios, the estimated incident response costs for the well-prepared peer are significantly reduced: an estimated $650k vs. $2.9million for the typical victim. How did the well-prepared peer achieve such savings when facing the same incident profile?

Controls can limit the impact of cyber incidents in two ways – by preventing attacks in the first place (preventative controls), or by reducing the severity and cost of a successful attack (mitigatory controls). Some controls focus solely on one front, while others contribute to both. Let’s consider how five common controls fall into this spectrum.

Preventative
Email security products detect and filter social engineering attempts, malicious attachments, and harmful links to prevent initial compromise, the first stage of the attack lifecycle. While important, they will not limit the “blast radius” of a successful attack.

Preventative Lean
Multifactor authentication (MFA) requires a second factor beyond passwords, like possession of a key or bio-identifier, before access is granted. This addresses risk presented by user password hygiene and account compromise. MFA plays a huge role in preventing unauthorized access to sensitive services like VPN and email. While MFA can also limit the impact of a successful attack, prevention is the primary use case.

Preventative + Mitigatory
Endpoint Detection & Response (EDR) has two core features: the first is next-generation antivirus that prevents malicious activity from running on endpoints, a fundamental prevention control. But EDR also supports incident response efforts, allowing cyber response teams to quickly react to malicious behavior and extinguish attacker access. Endpoint protection is a great example of a control that plays both preventative and mitigatory roles.

Mitigatory Lean
Privileged Access Management (PAM) tools command accounts that have elevated privileges in your IT environment, preventing account abuse and poor internal password hygiene. While PAM can prevent an attacker from establishing a foothold (de-facto prevention), the primary use case is limiting the blast radius of a successful attack by preventing privilege escalation and, often, lateral movement.

Mitigatory
Backups allow organizations to quickly recover from a destructive event like a ransomware attack. Immutable backups can be one of the most significant cost savers during an incident, as they can eliminate the need for ransom payments and protracted recovery efforts. While backups are indisputably an elementary control for any security program, they are a wholly mitigatory control.

No control discussion is complete without emphasizing the importance of robust implementation and adoption. Almost no cyber control is “set it and forget it”, and poor deployments give false confidence that can be worse than missing the control altogether. As a for-instance, almost all our incident response clients have some sort of backup system, but nearly 60% of those backups are unusable during the incident due to incomplete collections or poor defense of the backup system itself. Do not let legacy products or complacency undermine the effectiveness of your risk investments.

True cyber resilience demands a defense-in-depth strategy with a combination of preventative and mitigatory controls. Organizations that focus on implementing a holistic approach tailored to their specific needs instead of a one-size-fits-all solution can significantly reduce the frequency and costs associated with cyber incidents.

Planning isn’t passive! We recommend building a thoughtful roadmap with several phases to be sure your cybersecurity program has the breadth and depth to stand resilient in the face of today’s threats.

Need help evaluating controls or building out a plan to improve your security posture? Contact us at ask@moxfive.com or on our website.