‘Non‘ Security Incident: Although it may seem like all odds are stacked against the good guys and gals, preparedness and thorough strategy are the two attributes that cyber criminals can not take away from incident responders.
All too often, companies find themselves in the middle of an information security incident crisis. Minutes or seconds can make the difference between resolution and chaos. Incident response teams are emergency first responders in a security incident, event, but what happens when an incident isn’t security related? Not a “glass shattering” event?
Not every security incident is triggered in the same way. When it comes to email incident response, we often think of security incidents like successful phishing attempts, credential theft, and compromised accounts that need to be remedied immediately. Sometimes an email incident is just a “blushing scenario.”
The recent email slip-up from the White House (a staff member emailed Trump-Ukraine talking points to Democrats and later sent another message trying to recall the original message) underscores an often overlooked but high-profile use case – an email incident that isn’t necessarily a security threat.
When we look at this from the viewpoint of a corporate security team, this type of email mistake has implications and can create a lot of preventable work. Perhaps a distracted CFO accidentally sends a company-wide email containing sensitive information or unintentionally emails the wrong document? When these kinds of events happen, time to contain the slip-ups still matters.
Without the proper tools in place, how quickly can IT admins or security analysts remove these “mistake” email messages from company inboxes? There certainly are times when Incident Response capabilities that are integrated into security platforms come in handy, even without an active security incident.
For example, let’s say you’re an Incident Response Manager at a global enterprise with over 65,000 employees. Your CEO calls you (yes, on the phone) and yells that he has sent an email of a “personal nature” to the entire company. “Remove it immediately!” Now what?
We see this happen a lot. Without the proper tools in place to be able to see exactly who received the message, who opened it, and to quickly redact all of the content from inboxes before anyone can read it, your CEO would’ve been placed in a compromising position.
Not every security incident is a disaster, but many can easily become one. User friendly, auto-fill features can easily send sensitive data unintentional to the wrong recipients with just a few keystrokes. Emails mistakenly sent to the wrong person also pose a real danger to corporate information, so it is important to manage messages at every step within the email life-cycle.
This is why comprehensive email security strategies should incorporate tools and processes capable of managing email post-delivery in addition to preventing phishing and social engineering.
One of the most important metrics in incident response is the time it takes to contain an event. Pre — and post — message delivery protection is key. From automated removal to easy bulk remediation, integrated security incident response capabilities can speed response times, making it easier for security analysts to perform bulk removal on “mistake” emails that have already made it to employee mailboxes.
In addition, having robust search and forensic capabilities within an email security platform helps to easily search against any combination of factors from relatively simple content-based keywords to metadata. Comprehensive forensic capabilities can quickly and precisely tell admins who received a given email message and when.
Fast and resilient removal mean that response teams can protect their employees (or disoriented executives) from both phishing threats and “blushing scenarios,” unlike the manual, multi-step process on which other email security tools rely.