Assist clients in the containment and recovery after a cyber security breach
KPMG’s approach to cyber incident response investigations is based on KPMG’s experience and expertise with Microsoft Azure, Microsoft 365 and Azure Sentinel. Combined with industry standards such as the NIST framework, ISO and other industry best practices KPMG’s incident response teams are able to quickly contain and investigate cyber security incidents. Our Methodology includes the collection and investigation of digital forensic artifacts and a comprehensive review of host-based and network-based events, using Windows Defender ATP and Defender for identity, while managing regulatory obligations. Specifically, KPMG’s methodology is based on 5 primary concepts: • Prepare and Train: KPMG’s Response team will work with you to prepare for an incident. This phase typically includes understanding your technology stack, such as Microsoft 365, Azure Sentinel, Microsoft Azure, Microsoft security architecture and incident response plan and procedures. Once a security event occurs, KPMG’s incident responders will assess the event, deploy, utilize, and investigate technology solutions such as Microsoft 365, Azure Sentinel, Microsoft Azure, Microsoft Defender for Identity and Microsoft Defender for Endpoint, to monitor attacker activity and perform a review of the cloud and network environment to identify any indicators of compromise. • Detect and Initiate: KPMG’s Response team will initiate the incident response process, collect and review cloud and host-based artifacts, from sources such as Microsoft 365, Azure Sentinel, Microsoft Azure, Microsoft Defender for endpoint, while initiating digital forensic investigations on affected systems. • Contain and Investigate: The goal of KPMG’s Response team is to contain the threat and reduce reputational damage. In doing so, KPMG will collaborate with your business leaders and support personnel to contain the threat. Specifically, KPMG will complete an in-depth analysis on the actions taken by the attacker in an attempt to identify the tactics, techniques and procedures used by the attacker. This is typically performed using Microsoft 365, Azure Sentinel, Microsoft Azure, and Microsoft Defender for identity and endpoint. • Recover and Resolve: KPMG Response team will work with you to identify impacted systems, assist in remediation activities and identify necessary steps to improve security configurations on Microsoft 365, Azure Sentinel, Microsoft Azure, Microsoft Defender for identity and endpoint to prevent and detect future incidents. • Report and Pursue: Our reporting may include executive and technical reports on the incident investigation, timeline of attacker activity, root cause and lessons learnt. KPMG Cyber Response Team will work with you to recover from the incident.