4.3.3 Response & Remediation
Patching, segmentation, exceptions.
Response and remediation are the tactical activities an organization performs to address identified vulnerabilities and mitigate the impact of security incidents.
Risk Response Strategies Before implementing technical fixes, management must decide how to handle identified risks based on cost-benefit analysis. - Risk Mitigation: Implementing security controls to reduce the likelihood or impact of a threat (e.g., installing a firewall). - Risk Avoidance: Choosing to stop an activity or decommission a system that poses an excessive or unnecessary danger. - Risk Acceptance: Acknowledging a residual risk when the cost of additional controls exceeds the value of the asset or the risk’s impact. - Risk Transference: Shifting the financial burden of a risk to a third party, such as through cybersecurity insurance.
Remediation Techniques Active remediation involves technical changes to the environment to close gaps identified during vulnerability scans or threat hunting. - Patch Management: The systematic application of updates to software and firmware. This is the primary method for fixing known vulnerabilities. - Hardening: Disabling unnecessary services, closing unused ports, and changing default credentials to reduce the attack surface. - Configuration Compliance: Using automated tools to ensure all endpoints match a baseline security profile. - Compensating Controls: Alternative security measures put in place when the primary remediation (like a patch) cannot be applied.
Network Segmentation and Isolation If a threat is detected, organizations use architectural changes to prevent lateral movement. - Segmentation: Dividing a network into smaller, isolated subnets via VLANs or firewalls to contain breaches. - Isolation: Completely disconnecting a compromised host from the network to prevent data exfiltration or malware spread. - Sandboxing: Using a virtualized, isolated environment to test suspicious files or patches before they are deployed to the production network.
Exceptions and Residual Risk Remediation is not always immediate or possible due to business constraints. - Exceptions: Documented instances where a specific security policy is not followed, often due to legacy system requirements or high-priority operational needs. - Residual Risk: The risk that remains after all mitigation efforts have been applied. Management must periodically reassess these to ensure they remain within acceptable levels. - Reporting and Escalation: Serious risks or active breaches must be reported to stakeholders, including government agencies or customers, depending on regulatory requirements.
Quick recall - Mitigation = Reducing risk. - Avoidance = Stopping the risky behavior. - Residual Risk = What’s left after you apply controls. - Patching = Primary remediation for software vulnerabilities. - Segmentation = Containment tactic to stop lateral movement. - Breach Notification = Mandatory reporting to victims and authorities.