Thanks to hard-won experience, most managed service providers (MSPs) have an IT incident response plan in place to cope with any disruption to their business. In contrast, however, it turns out most internal IT organizations don’t.
At a time when distributed denial of service (DDoS) and ransomware attacks are making it apparent just how weak many of the cyber defenses that organizations have put in place really are, large numbers of IT organizations are struggling to cobble together an incident response plan. MSPs that already have IT incident response planning expertise in place based on established best practices should not overlook that opportunity.
IT Incident response planning the right way
A new report from the Institute for Critical Infrastructure Technology (ICIT) describes the extent of the challenge facing IT organizations. The report specifically notes that it’s in the best interest of service providers to make sure IT incident response plans will work as designed. In addition, an incident response plan will likely need to include information on how to contact Internet service providers (ISPs) and hosting providers. The internal IT staff will need to know whether the organization receives DDoS mitigation services from an ISP under the terms of any existing service-level agreements.
But the ICIT report makes it clear that incident response planning needs to start well before an attack is launched against the company. The report recommends that during the initial risk assessment the information security teams should harden the configuration settings of network assets, operating systems, applications, and end-points. Unnecessary services and applications should be removed from systems, and unused ports should be closed.
The impact of a DDoS attack can also be mitigated by implementing application and traffic whitelists as well as block lists at the network boundary. Those block lists should include service screening on edge routers, segmenting and compartmentalizing critical services, creating single-purpose servers for services such as HTTP, FTP, and DNS whenever possible.
The ICIT report also notes that applications and network operability should be tested by having the mitigation service generate a controlled stress traffic source of a few Gbps to validate alerting, activation, and mitigation features with an eye toward ensuring that routing and DNS remain operational under the stress. Finally, the plan needs to identify what essential services need to be prioritized and, just as importantly, what ones can be turned off.
The key to putting any kind of incident response plan in place, of course, is access to current network diagrams, IT infrastructure details, and a list of asset inventory. IT monitoring tools that discover assets and services on the network are going to be critical to crafting an incident response plan.
New opportunities for MSPs
Put it all together, and it quickly becomes apparent that most IT organizations are ill-equipped to craft, much less implement, an incident response plan. MSPs, on the other hand, are generally more practiced in the art of incident response because their business depends on it. In fact, it’s only a short leap from providing backup and recovery as a service to managing incident response. For many MSPs that incident response plan is not only an opportunity they shouldn’t ignore; it creates a critical service that binds customers to their MSP at their most critical time of need.
In an age when most managed services are delivered on the thinnest of profit margins, most MSPs are looking for ways to bring additional value to their customers. A managed incident response service that is already operational when a cyberattack commences is going to be viewed by most organizations as nothing short of priceless.