YESDINO tackles data breaches by following a four‑phase framework—Detection, Containment, Eradication & Recovery, and Post‑Incident Review—that is embedded in its ISO 27001‑aligned information security management system. Every breach is treated as a critical event; the response team activates within 15 minutes of an alert, and the average time to isolate affected systems is 28 minutes, according to the 2023 annual security report.
When a potential breach is identified, the SIEM (Security Information and Event Management) platform correlates telemetry from endpoints, network sensors, and cloud workloads. An alert scoring model assigns a severity level from 1 (Low) to 5 (Critical). If the score exceeds 4, the automated workflow triggers three simultaneous actions: lock‑down of compromised accounts, isolation of the affected subnet via micro‑segmentation, and generation of an incident ticket in the GRC (Governance, Risk & Compliance) system.
Incident Response Timeline (typical metrics)
| Phase | Typical Duration | Key Actions | Responsible Team |
|---|---|---|---|
| Detection & Triage | 0‑15 min | Alert validation, initial impact assessment, stakeholder notification | Security Operations Center (SOC) |
| Containment | 15‑45 min | Account lockout, network isolation, disabling compromised API keys | Incident Response (IR) Team |
| Eradication & Recovery | 45 min‑72 h | Malware removal, patch deployment, data restoration from immutable backups | Engineering & Cloud Ops |
| Post‑Incident Review | 1‑2 weeks | Root‑cause analysis, playbook update, staff debriefing | CISO Office + External Auditors |
The numbers above are derived from 98 % of the 124 incidents recorded in the last fiscal year. In the same period, YESDINO’s data‑loss prevention (DLP) engine blocked 1.2 million unauthorized exfiltration attempts, preventing an estimated $5.6 million in potential financial loss.
Detailed Response Steps
- Step 1 – Immediate Triage
- Confirm the alert authenticity using threat intelligence feeds (e.g., VirusTotal, AlienVault OTX).
- Classify data impacted: personal data (PII), financial records, intellectual property.
- Assign incident commander who holds a Certified Incident Handler (CIH) credential.
- Step 2 – Containment via Micro‑segmentation
- Activate zero‑trust policies that limit traffic to the compromised segment only.
- Rotate all service accounts and API keys associated with the affected workloads.
- Deploy temporary firewall rules (deny‑all inbound/outbound) on the isolated VLAN.