Incident Response Strengthens Foundation of Organizational Cybersecurity and Privacy Programs

Incident Response Strengthens Foundation of Organizational Cybersecurity and Privacy Programs


As Federal Cybersecurity and Privacy Programs continue to evolve and mature, ensuring their foundations are rock solid remains crucial. Incident Response is a key element of this approach. These services help organizations impacted by a cybersecurity event to determine the extent of the incident, remove the adversary from their systems, and restore their networks to a more secure state.

Criterion’s Incident Response services rely on a combination of best practice-based dashboards, automation, and human analysts to provide customers with increased knowledge about cyber events, leading to a higher confidence in how your organization reacts to cyber problems. ​In turn, this leads to more accurate risk assessments; quick, reliable decision making; and more efficient planning. ​Criterion’s Incident Response team develops tailored detection, analysis, and response procedures; provides a holistic estimate of threats; performs response actions; and continuously monitors quantitative and qualitative performance measurements, such as mean time to detect/mean time to respond (MTTD/MTTR), to improve service delivery over time.

Benefits of Incident Response

There are a variety of benefits to a strong Incident Response program:

  • Higher confidence in the efficacy and completeness of incident response actions.
  • Increased context and link between incident activity and mission impact.
  • Enhanced situational awareness through more informative and more thorough threat and incident reporting.
  • Rapid and effective incorporation of threat data to proactively defend the enterprise​.
  • Improved intelligence, feeding detection, and tracking of campaigns​.
  • Combination of security infrastructure orchestration, playbook automation, and case management capabilities strongly integrates our team, processes, and tools. ​

Criterion’s Approach

Criterion’s incident response process aligns with NIST 800-61 and has five major phases: Preparation, Detection and Analysis, Containment, Eradication and Recover, and Post-Incident Activity​. We use CyberScale® (a tool based on our Cyber Operations Maturity Model) to conduct an operational review of the environment to provide end-to-end Incident Response services focused on rapidly identifying, prioritizing, analyzing, and responding to threats using the customer’s relevant and available tools. In the case of fly-away teams, we bring our own.​


Criterion will also ensure annual exercises are performed to test and evaluate our security operations using real-word scenarios. For instance, we could combine red team activities to an annual exercise to test response times and the ability for the organization to response to an Advance Persistent Threat compromise.

As part of our Incident Response services, we proactively review threat intelligence to identify additional use case opportunities, prioritize activities, and continually refine existing procedures to improve how we manage, implement, and maintain tools and processes to detect, respond and report computer related incidents. We monitor and analyze qualitative and quantitative performance measures on the effectiveness of IM policies, procedures, plans, and strategies. This feedback allows us to continuously refine operational security standards and procedures based on security incident lessons learned, driving our continuous improvement process to refine alerting capabilities, reduce false positives, and improve overall visibility in the environment.

Criterion’s Incident Response service was developed in our Cybersecurity Center of Excellence, a dedicated group of cybersecurity professionals and subject matter experts with a focus on understanding and extending industry best practices. This development and application of practical, innovative, and continuously improving cybersecurity approaches, methodologies, and technologies directly benefits our customers today and into the future, as they tap into Criterion’s specialized expertise. Adding Incident Response to our customers’ Focused Operations teams enables them to move beyond their current capabilities, keeping ahead of adversaries while they continually mature their systems.

Our Incident Response services are already being used by our Federal customers either as a stand-alone solution or combined with Criterion’s Cybersecurity Operations Center (CSOC) services. Customers can access our services via the General Services Administration (GSA) Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) 54151HACS.