“Corsica is a one-stop shop for us. If I have a problem, I can go to my vCIO or a number of people, and you take care of it. That’s an investment in mutual success.”
It takes dedicated experience to use technology strategically in your industry. That’s why we specialize in certain verticals while offering comprehensive technology services.
Once you’ve detected a cybersecurity attack, it’s essential to respond fast. That’s why we monitor your systems 24/7/365, working quickly to contain and eradicate threats.
Get the incident response and containment you need.
In today’s cyberthreat landscape, businesses must maintain cyber readiness to defend their systems against ransomware, email compromise, and other advanced security threats.
Our full-scale services detect and close down threat actors quickly. We’re so confident in our abilities, we offer FREE incident remediation services, with limitations. See our Cybersecurity Service Guarantee for more.
Watch to learn more about what a SOC is and the role it plays in keeping businesses up and running. A Security Operations Center is the reporting point for a lot of different toolsets. A firewall or antivirus is no longer enough to protect your business. Advanced monitoring toolsets and techniques are required to detect and remediate cybersecurity threats.
Ready to get expert cybersecurity support?
Fill out this form, and we’ll respond within one business day. Let’s explore how we can support your business with robust cybersecurity services.
Not ready to contact sales?
Continue your journey with these resources.
Incident Response and Containment 101
What processes and roles should you establish BEFORE an incident occurs? What does the incident response process look like? Here’s everything you need to know.
When a cybersecurity incident occurs, it’s all hands on deck.
But the best response process in the world won’t help if your organization isn’t prepared before an incident occurs.
In this article, we’ll cover everything you need to establish before an incident.
Then we’ll cover the actual process of incident response and containment.
What you need to establish BEFORE an incident
1. SOC (security operations center)
Your SOC is the lifeblood of your cybersecurity operations. Without a SOC and the experienced professionals and technology that accompany it, it’s nearly impossible to respond to an incident—let alone contain it.
Here’s what a brief overview of what a SOC gives you.
Professional cybersecurity experts. At the end of the day, cybersecurity will always require skilled professional resources. No SOC is complete without a dedicated team.
24/7/365 human monitoring. It’s one thing to leave monitoring systems running 24/7/365. But if there’s no one there to respond when the unthinkable happens, then those systems aren’t much good. A SOC provides the continuous human monitoring you need.
Essential cybersecurity software like MDR and SIEM.MDR (managed detection and response) is an essential solution that your cybersecurity experts will use to detect and respond to incidents. SIEM (security information and event management) aggregates as much security information as possible in a single user interface while also empowering administrators to respond to events.
Midmarket organizations typically can’t handle all this on their own. Existing IT staff can’t cover the additional workload of cybersecurity—and they don’t often have the experience to do so. Hiring dedicated cybersecurity professionals is difficult due to high salary expectations and frequent churn.
When a cybersecurity incident occurs, one of the first things your analysts will do is try to contain the threat. To achieve this, they need full documentation of your network. This includes things like:
Network topology
Server rack diagram (for on-premises networks)
Cloud architecture (for cloud networks)
IP address map
Full inventory of network hardware and software
Wireless network documentation
You should have this documentation in place anyway, but the key here is to keep it up to date. You want to be prepared when an incident occurs.
3. Systems and processes for backup and disaster recovery
No network, device, or cloud system is immune to catastrophe. A cybersecurity incident can result in data loss or corruption, making backup and recovery an essential function to establish before an incident occurs.
Due to the expense and skilled labor required, many midmarket organizations outsource this function to an MSSP (managed security services provider). Learn more here: Backup And Disaster Recovery Services.
4. Business continuity plan
This might sound similar to backup and disaster recovery, but it’s actually quite different.
Backup and disaster recovery is about restoring essential business systems and technology infrastructure after a devastating incident.
Business continuity is about keeping a business operational during a disaster.
5. Incident response plan
This is the backbone of your incident response readiness. It defines your incident response processes (which we’ll cover below) so there are no questions when the unthinkable occurs.
There is no one-size-fits-all approach to this plan. Here are some excellent resources on structuring your plan.
Some organizations may not have the bandwidth to create this plan on their own. An MSSP can help craft a plan that fits the unique processes and regulatory requirements governing your organization.
6. Assigned roles for your incident response
While your plan should include role assignments, it’s worth calling this out separately. Before an incident ever occurs, you want to have several roles filled, as CISA (the U.S. Cybersecurity & Infrastructure Security Agency) explains.
Incident manager. This is the person who leads the entire response to the incident.
Technology manager. This is the person who can lead the response from a technical perspective.
Communications manager. This is the person responsible for all incident-related communications, whether internal or external.
For midmarket organizations, it may be challenging to assign some or all of these roles in-house. For these organizations, an MSSP (managed security services provider) can assist.
Incident response and containment processes
The exact process you use will depend on your incident response plan. Different plans may use different terminology or combine certain steps together.
However, speaking generally, here are the steps involved in incident response and containment.
1. Detection and identification/analysis
Incidents are typically detected by sophisticated software like MDR (managed detection and response), which may use powerful algorithms and even AI to spot anomalous behavior on your network. This allows your cybersecurity analysts to ignore harmless network traffic and focus on activity that looks suspicious.
Once automated systems have detected an incident, your cybersecurity specialists will identify it. This means gathering the specific information they need to contain the threat—such as systems affected, type of attack, IP address of origin, and more. Your specialists will begin a rigorous process of documentation that will aid not only in the incident response, but also in communication with law enforcement and in preparation for any potential legal action.
2. Containment
Once your cybersecurity analysts know what they’re dealing with, they’ll move fast to contain the threat.
Effective containment will mean different things depending on which systems are compromised. For example, if a workstation has malware installed on it, the first step in containment is to isolate that machine from the network and from all other machines. Cybersecurity specialists can do this remotely using software that still allows them to access the machine after it’s been cut off from the network.
If an essential device like a server is compromised, containment gets more complicated. Specialists must take into account the presence (or absence) of redundant server resources, as well as the potential impact to operations and revenue—both for leaving the server online, and for taking it offline. Experience and understanding of the scenario are essential for making the right decisions here.
3. Investigation
Earlier in the process, your cybersecurity analysts had to prioritize containment over full analysis. This means they only gathered as much information as they needed to contain the threat.
Now that the threat is contained, it’s time to get the full story. Your cybersecurity specialists will uncover as much information about the incident as possible. They’ll consult SIEM (security information and event management) software, as well as any additional logs required. All along the way, they’ll continue to document everything they find to support communication with stakeholders, customers, and law enforcement—as well as providing an evidentiary foundation for responding to any legal action.
4. Eradication
Now it’s time for your cybersecurity specialists to destroy the threat.
Eradication looks different depending on the type of attack, but here are some actions that typically occur.
Deletion of any malware installed on a device
Device reimaging (full wipe and installation of a new operating system), as required
Closing user accounts compromised in the attack (or resetting their passwords)
Blocking IP address(es) from which the attack originated
5. Recovery
You can’t go back to life as usual after eradicating a threat. The information gathered in the incident response process will offer numerous takeaways for making your environment more secure. The key is to turn that information into real changes to systems, hardware, and processes.
Here are some common changes that companies make during the recovery process.
Enforcing MFA (multi-factor authentication) on all email accounts
Catching up on patching (and implementing a plan to stay on top of it from now on)
Deprecating outdated systems and hardware that don’t support modern security controls
Updating network access policies to make it harder for criminals to get in
Whatever changes have been implemented, it’s a good idea to test them for effectiveness. A network penetration test can determine how effective these changes are.
Getting the incident response plan and service you need
As you can see, it’s a fairly significant responsibility to develop and implement an incident response plan—then actually respond when an incident occurs.
Many midmarket companies don’t have the resources to achieve this in-house. IT staff have their hands full with day-to-day operations. This leaves no bandwidth for a programmatic approach to incident response, and it makes real-time containment and eradication almost impossible.
This is one reason MSSPs exist. The right partner can advise on the right incident response framework for your organization—and they can create a plan from that framework that’s tailored to your unique operations.
The key, though, is to insist on an MSSP who not only notifies you of incidents, but also remediates them.
Unfortunately, most MSSPs don’t actually remediate incidents. They only provide notification to their client (and/or to the client’s MSP or managed IT service provider). Under this model, incident response and containment gets broken up across multiple vendors and teams. This destroys any synergy across the process. It can lead to essential information getting lost and, at worst, incomplete attempts at containment and eradication.
Choosing an MSSP who offers full or partial cost coverage for their incident response services
Midmarket organizations without cybersecurity experts on staff should look for comprehensive MSSP coverage. Decent MSSPs will handle cybersecurity from top to bottom, including the entire incident response and containment process.
But the best MSSPs go beyond this. They offer cybersecurity service guarantees that cover the cost of their services to remediate an incident (with limitations).
That’s what we do here at Corsica Technologies. Our Corsica Service Guarantee empowers us to cover some or all of the cost of services to remediate incidents on our clients’ systems. As far as we know, this is the only service guarantee of its kind in the industry. See the link for details and limitations.
Want to learn more? Get in touch with us today. Let’s talk about your incident response and containment process—and how we can help.
What are incident response and containment services?
MSSPs (managed security service providers) offer these services to shut down cyber attacks against their clients. Incident response and containment uses a variety of sophisticated tools, alongside experienced human vigilance, to lock down cyber attacks in real time and contain the damage.
Who needs incident response and containment services?
Organizations of all sizes, in every industry, are vulnerable to cyber attacks. Criminals don’t discriminate between those who can afford a devastating breach and those who can’t. That means every company is in a better position with these services than without them.
What should I look for in a cybersecurity services partner?
Look for a partner who meets your needs in two essential ways:
The right capabilities and services
Acts like a true partner (easy to work with)
Both components are critical. A partner can have all the right capabilities and services, but if they’re a real pain to work with, the relationship may cause more headaches than it’s worth.
On the other hand, a partner could be great to work with—but if they have inexperienced technicians or they don’t cover all your needs, then things still aren’t working.
In terms of capabilities and services, look for a partner who covers all your needs:
Managed cyber security
Managed IT support services
EDI + data integration
Cloud system services
vCIO consulting
In terms of finding a provider who acts as a true partner, look for these characteristics:
Unlimited technology services for one predictable monthly price (i.e. no nickel-and-diming)
Approachable, professional, and empathetic
Has a “can-do”attitude
Here at Corsica Technologies, we’ve got it all covered. From unlimited services to predictable pricing and a “can-do” company culture, we’re making life easier for the people we serve. Contact us today to see what life could look like as a Corsica client.
Are you just another cybersecurity service provider? How is Corsica different from other providers?
Most MSSPs claim to be a true partner, but they don’t deliver. Rather than valuing the relationship, they nickel-and-dime their clients when it comes to billing. Fluctuating ticket counts and workstations can create unpredictable invoices. This helps the service provider—but it doesn’t help you.
That’s why we’re fixing the cybersecurity support experience for companies that deserve better. We are the only managed service provider to offer unlimited technology services for one predictable price. That’s what makes us so different. It’s really that simple!
As far as our specific services, we cover essential initiatives like IT, cybersecurity, and digital transformation—but we also cover more technologies than most MSPs do. We also handle EDI and data integration services, which are highly specialized.
In other words, you can hand off as much of your technology to us as you want. And you can do it for one simple monthly price.
So no. We’re not just another MSP.
Want more details? See how Corsica compares to the alternatives.
Do you really handle EDI as well as IT and cybersecurity?
Yes! We’re one of the few technology service providers who covers EDI solutions in addition to standard services like IT and cybersecurity support. Our career experts in EDI work closely with our cyber and IT teams to ensure all your essential systems run smoothly—with a strong security practice at the core.
In fact, this is one of your biggest advantages. It allows you to work with one provider instead of acting as a referee between different partners who don’t care about mutual success. Here’s how our coverage looks:
We already have technology staff. Can you work alongside us?
Absolutely! Our services are flexible. We can cover all your needs in a “fully managed” scenario—or we can act as an extension of your staff in a “co-managed” scenario. It all comes down to what resources you have today, what you need, and where your gaps and goals are.
We only need cybersecurity, not IT or EDI. Are you flexible?
Yes! Our services are designed to work around your needs. We are the team that will say YES to your requirements and what you need. We realize that when you need technology support you need a team that will respond and resolve quickly.
Contact us and let us know what you’re looking for.
We already have managed IT support services. Do we need a cybersecurity solution?
Cybersecurity is a distinct need that requires constant monitoring as well as a strong strategy. If a threat arises, there’s no time to assemble a team to get up to speed. You need that team in place, and they need sophisticated tools to detect threats, respond, and defend your business. This is why companies turn to a cybersecurity service provider for help.
Do you offer strategic help as well as technology administration?
Absolutely! Our flagship service package, Corsica Secure, includes consulting from a vCIO/vCISO (virtual CIO/CISO). This C-level leader is a career expert in technology who works alongside you to plan out a 3-year technology roadmap, ensuring you never get blindsided by a technology investment.
We also offer project-driven consulting outside of our recurring services. Just get in touch with us to learn more!
What does life as a Corsica client look like?
Great question. Everything we do is ultimately about people, and you’ll see that reflected in our day-to-day interactions. You shouldn’t have to deal with techs who don’t care and can’t actually fix the problem. We only hire next-level humans who are career experts in their fields.
Our team is:
Approachable and empathic
Responsive and respectful
Intelligent and experienced
Proactive problem-solvers
Our internal processes and operations are built for one purpose—to make life easier for you. To facilitate this, every client has expert personnel assigned to their journey:
Customer Experience Advisor
Onboarding Admin
Account Executive
vCIO/vCISO (virtual CIO/CISO)
As far as communication, our team is always available 24/7/365 for any technology problem. Because our pricing is simple, you’ll never get billed more when you need more. It’s all included. This empowers your team to go on doing what they do best—rather than fighting technology problems.
Ready to talk to an expert?
We’ll respond within 1 business day, or you can grab time on our calendar.
