Manage Incident Response and Recovery

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how to respond to incidents.
  • Explain your role in helping the organization recover from incidents.

Respond to Incidents

Now that you understand how to detect risks and monitor the effectiveness of your architecture at protecting the organization, it’s time to talk about your role in responding to and recovering from incidents when they do occur. No matter how carefully you’ve implemented your cybersecurity architecture, it’s not a silver bullet to thwart every bad actor. Eventually, there will be an incident, and you have a crucial role to play in dealing with cybersecurity incident response.

A cyber incident is a breach of a system’s security policy that affects its confidentiality, integrity, or availability, or the unauthorized access or attempted access to a system. Cybercriminals innovate just as businesses do, and the potential rewards of a successful breach for them grow as business use of cyberspace grows. Luckily, a solid architectural system design, standard controls, and regular vulnerability testing and security assessments are all effective countermeasures to reduce the risk of a successful attack. But what is your role when an attack does happen?

Part of your role as a cybersecurity architect is making sure that your organization has the information readily available that will help the cybersecurity incident response team respond quickly and effectively. The incident response team organizes the approach to responding to the incident and manages the aftermath of the security breach in a way that limits damage and reduces recovery time and costs. They need access to information about the IT infrastructure, including network diagrams, system architecture, and layout, in order to understand system dependencies and trace the attack and its impacts throughout the environment.  

Image of a cybersecurity architect sharing and explaining a map of the IT infrastructure (including where a bug or alert may exist) with an incident responder.

In addition, the architecture you design and deploy should take incident response into account from inception, consider how to enable fast incident response and remediation times, and provide visibility across endpoints throughout the environment. For example, you put in place detective controls, such as logging to help identify a breach in progress. You ensure corrective actions are part of the architecture design, such as backups to help the business return to normal operations as quickly as possible. Taking these factors into consideration early on enables your incident response team to quickly understand the who, what, when, where, and how of an attack when one does occur. You also serve as an expert coach providing context so that the incident response team can analyze incident-related data with the requisite level of technical knowledge and experience. 

Finally, when designing an architecture you may need to put in place a design that can automatically exchange real time network defense data across the organization or with partner organizations in your industry. This enables information sharing and collectively strengthens defenses.

Help the Organization Recover from a Cyber Incident

When it comes to remediating the root cause of an incident, patching and hardening affected systems, and getting them back online, you again play a crucial role in enabling recovery. Root cause analysis involves asking questions and following paths to identify the initiating threat vector that enabled an attack to occur in order to ensure it is remediated and does not reoccur. Your job is to proactively think about response and recovery from the very beginning of designing the architecture. How can you develop and implement a resilient IT infrastructure that will sustain business operations even in the face of an attack?

When designing and deploying a cybersecurity architecture, you consider from the start how to create an architecture that can rapidly adapt to and recover from cyber incidents. When planning and testing an architecture, you can use evaluations and scenarios including natural disasters, criminal actions, and acts of sabotage to test both the architecture, business continuity, and other response plans. You also take into account whether you are collecting the right data to properly attribute an attack to an adversary. 

You may also provide technical assistance to the incident response, business continuity, and disaster recovery teams as well as business system owners as they work to restore systems to their normal state. The business continuity team works to ensure operations and core business functions are not severely impacted by an unplanned incident that takes critical systems offline. The disaster recovery team aims to protect the organization from the effects of significant negative events and works to maintain or quickly resume mission functions following a disruption. Your role may also include making recommendations to changes to system architectures to further harden them from future attack and prevent the root cause of the problem from recurring. You also work with these teams to prepare for an incident or a disaster through tabletop exercises, in which a security incident is simulated, and response activities are practiced and tested. 

In this case, it helps to keep in mind the famous quote by Albert Einstein, “The problems of today will not be solved by the same thinking that produced the problems in the first place.”

As a cybersecurity architect you’re always thinking about how to move your organization to the future security state of tomorrow. Doing this both proactively from the beginning of system design, and retrospectively after an incident helps keep your organization’s IT environment secure. 

Knowledge Check

Ready to review what you’ve learned? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching category on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Restart.

Sum It Up

In this module, you've been introduced to methods for identifying business needs and security threats, and how to design and implement a cybersecurity architecture that puts in place layered security features to protect the organization. You’ve learned more about how to protect the organization by detecting risks with vulnerability assessments and system security assessments, and how to monitor the effectiveness of the architecture you’ve implemented. Finally, you’ve learned the importance of proactively planning for incident response and recovery from the inception of your cybersecurity architecture design, and your role in helping incident responders understand the architecture and any possible points of compromise. 

Along with the information you reviewed in the Cybersecurity Architecture module, you should now have a better understanding of what it takes to be a cybersecurity architect. You can learn more about the in-demand cybersecurity skills necessary to get a job in cybersecurity risk architecture, or another field, and learn more about security practitioners by visiting the Cybersecurity Learning Hub on Trailhead.