Cybersecurity Blog

When Only A Zero-Day Approach Is Good Enough

How quickly could your organisation respond to a previously unknown threat?

If you don’t know the answer, it’s probably not quickly enough – and you may need help.

Cyber security leaders know what zero-day response means in principle – an immediate and effective response to a serious threat that puts their organisation at substantial risk. But what about in practice – in reality, how capable is your organisation of mounting a zero-day response when it really matters?

The good news is that the moments when such immediacy is required are fairly irregular. Many serious vulnerabilities are identified by responsible researchers, or software and hardware vendors themselves. There is time to develop an emergency patch that organisations can deploy before a bad actor can exploit the weakness.

However, even these situations can be nerve-wracking. Organisations may not always be able to scan their IT estates quickly enough to work out whether they are exposed to the vulnerability. There may then be a lag between the news breaking that a serious vulnerability exists and the organisation being ready to patch it.

Even worse are situations where the vulnerability is identified – and often shared – by a bad actor. Organisations may face several days of uncertainty as they struggle to catch up. They don’t know whether they’re exposed – and even when they do, there may be a wait for a patch to be developed.

 

Towards a major incident policy

These are the situations where organisations need well-honed processes for a zero-day response – the additional steps they put in place on top of their ordinary vulnerability management processes. In practice, that means the organisation needs to know what those processes will be in advance – and to practice them. Think of this as major incident planning and preparation. What you’re really looking for here is confidence that you can take charge when a threat emerges.

Can you respond quickly and effectively even if you’re waiting for a software vendor, say, to issue an official patch? This is an area where a partner such as EndpointX can provide critical support. Our Guardian service, offered in tandem with Tanium, aims to help organisations tackle major incidents quickly and independently of software vendors.  The aim is to make it possible for organisations to immediately test for any emerging vulnerability – and then to put in place a tailor-made solution, even if an official patch takes much longer to be developed.

Effectively, the goal here is to semi-automate the response to a major incident – to have solutions that kick in much more quickly when a threat becomes known. The organisation needs to know who to call in order to head off a breach – and how the incident will subsequently be dealt with. Too few organisations have these major incident processes in place. While most will have developed breach response plans that kick in once a breach has actually taken place, processes that focus on prevention are much rarer.

This is not to suggest such processes will be needed every time a new threat emerges. In practice, this is an exercise in risk management – the organisation needs to assess what thresholds of risk it thinks should trigger the major incident plan. Otherwise, people will be asked too regularly to drop everything and to respond to an emergency – then they’ll start to take alerts less seriously. Still, by assessing your organisation’s appetite for risk carefully and putting processes in place accordingly, it should be possible to build a much more robust approach to dealing with major incidents. And when a zero-day response is required, the organisation will know how to deliver it.