While it may seem like all odds are stacked against the good guys and gals, preparedness and comprehensive planning are the two things that cyber-criminals can’t take away from incident responders.
All too often, companies find themselves in the middle of an information security crisis. Minutes or seconds can make the difference between resolution or chaos. Incident response teams are emergency first responders in a security event, but what happens when an incident isn’t security related? Not a “break-the-glass” event?
Not all incidents are created equal. When it comes to email incident response, we often think of security incidents like successful phishing attempts, credential theft, and compromised accounts that need to be remediated immediately. Sometimes an email incident is just a “blushing scenario.”
The recent email slipup from the White House (a staff member emailed Trump-Ukraine talking points to Democrats and later sent another message trying to recall the original message) underscores an often overlooked but high-profile use case – an email incident that isn’t necessarily a security threat.
When we look at this from the viewpoint of a corporate security team, this type of email mistake has implications and can create a lot of preventable work. Perhaps a distracted CFO accidentally sends a company-wide email containing sensitive information or unintentionally emails the wrong document? When these kinds of events happen, time to contain the blunder still matters.
Without the proper tools in place, how quickly can IT admins or security analysts remove these “mistake” email messages from company inboxes? There certainly are times when IR capabilities that are integrated into security platforms come in handy, even without an active security incident.
For example, let’s say you’re an IR manager at a global enterprise with over 65,000 employees. Your CEO calls you (yes, on the phone) and yells that he has sent an email of a “personal nature” to the entire company. “Remove it immediately!” Now what?
We see this happen a lot. Without the proper tools in place to be able to see exactly who received the message, who opened it, and to quickly redact all of the content from inboxes before anyone can read it, your CEO would’ve been placed in a compromising position.
Not every security incident is a disaster, but many can easily become one. User friendly, auto-fill features can easily send sensitive data unintentionally to the wrong recipients with just a few keystrokes. Emails mistakenly sent to the wrong person also pose a real danger to corporate information so it is important to manage messages at every step within the email lifecycle.
This is why comprehensive email security strategies should incorporate tools and processes capable of managing email post-delivery in addition to preventing phishing and social engineering.
One of the most important metrics in incident response is the time it takes to contain an event. Pre- and post- message delivery protection is key. From automated removal to easy bulk remediation, integrated incident response capabilities can speed response times making it easier for security analysts to perform bulk removal on “mistake” emails that have already made it to employee mailboxes.
In addition, having robust search and forensic capabilities within an email security platform helps to easily search against any combination of factors from relatively simple content-based keywords to metadata. Comprehensive forensic capabilities can quickly and precisely tell admins who received a given email message and when.
Unlike the manual, multi-step process that other email security tools rely on, quick and robust removal means that security teams can protect their employees (or distracted executives) from both phishing threats and “blushing scenarios.”