Malware & Ransomware Protection

Respond Effectively to Cyber Threats

rectangle Written by: Anne Gotay rectangle 2 5 min read

Cyber attacks happen once every thirty-nine seconds, according to Security Magazine. They are so common that almost half of all small businesses have experienced a cyber attack in the last year, with many larger companies experiencing attacks almost daily. It is not about whether your organization will experience an attack but when. What is important is how you respond to it.

According to the NIST cybersecurity framework, the fourth protection pillar is to Respond. This phase implements reactive controls that cut off cyber attacks or mitigate their impact. Implementing the Respond pillar rounds out an effective defense against likely threats.



Responding to Incidents

The “Respond” pillar of the NIST Cybersecurity Framework (CSF) is designed to deal with incidents when they occur. It involves functions like incident detection, incident response planning, and incident response. The Respond pillar is driven by data gathered in the Detect pillar. It includes information such as the source of an incident, its scope, and its impact. With this information, functionalities in the Respond pillar work to stop an incident from expanding and minimize the damage, allowing the organization to return to normal operations.

Response Requires Visibility

The ability to respond to an incident is only as useful as the ability to detect when an incident is occurring. Even with the best response controls in place, there is no way for intervention to happen if there is no indication that an incident is taking place. Better visibility will identify it in near-real time, while less robust detection may take place minutes or days later. The earlier that detection occurs and the faster it is communicated, the more effective a response will be.

Visibility allows the organization to detect anomalous activity on its systems and networks. Good visibility controls should convey how significant the incident is to start the response, but it should not end there. It is also essential for gauging how effective the response is, tracking changes in the spread of an incident throughout containment and resolution. Achieving this level of visibility takes more than traditional logging; it takes automated analysis to process large volumes of data and condense it into actionable insights.

Respond Comes in Many Forms

Responding to an incident comes in various forms that collectively help to halt the incident in its tracks. Controls in the Respond pillar communicate to people and processes, letting them know that an incident may occur. This allows them to take other response steps to contain and mitigate any damage happening, aiming to eliminate the threat and return to normal operations.


Alerting is the process of sending notifications to security personnel and other stakeholders that an incident is occurring or suspicious activity has been detected. These notifications can be in real-time such as a popup in a monitoring interface, or near-real time, such as an email or text alert being sent out. Alerting allows organizations to take timely action to contain and mitigate an incident, thus reducing the overall impact.

Effective alerting should be built into security tools and automatically launch when abnormal behavior occurs. It is important to note that not every anomaly is an actual incident, so it is crucial to review alerts before taking action. This risk can be reduced using data-driven security solutions leveraging machine learning. With these solutions, the abundance of data and intelligence create baselines of behaviors, so alerts are only generated when there is sufficient evidence it is not a false positive.


Manual Intervention

Manual intervention engages human expertise and judgment to analyze and respond to security incidents. Human oversight builds on automation and machine learning to temper the decision-making in incident response. Automated tools are well suited to some incidents where the process is clean-cut, and alerts are almost undoubtedly valid such as catching spreading ransomware infections. Human decision-making is vital for more nuanced assessments, such as the misuse of privileged access.

Organizations generally utilize incident response teams staffed by security experts to provide the expertise for manual intervention. These teams directly respond to incidents and quickly analyze them, validating the alert. They determine the impact and urgency to determine the appropriate course of action.

Automated Processes

It’s crucial to balance manual and automated incident response. Automatic responses trigger processes that take steps to contain an incident far faster than a human can. Where incident response teams may be delayed by other incidents or business concerns, automated processes can take action in near-real time to stop the spread of ransomware or attackers, cutting off access to critical infrastructure and locking accounts.

Organizations get the best of both worlds using a blend of manual intervention and automated processes.

The Right Solutions To Defend Your Data

Read our white paper to learn more about the NIST Cybersecurity Framework and how Sotero can help your organization meet every phase to create a whole data protection lifecycle.

Contact Sotero today for a demo on how the Sotero Data Security Platform can help your organization get and maintain complete data security coverage across all five NIST lifecycle stages.


cyber threats,

data compliance,

data protection,

data regulations,

data security,


Subscribe to our Blog

Take a look at a truly encrypted future, with no data left unsecure.

Request a Live Demo.

Schedule a live one-on-one
demo of Sotero.

Book Demo