Somansa Privacy-i EDR/Antivirus
Incident Response Plan
Introduction and Purpose
This document outlines the procedures for incident response involving Somansa’s Privacy-i EDR, a next-generation endpoint detection and response solution.
Privacy-i EDR monitors endpoints in real time for security threats, automatically blocking malware and suspicious behavior on Windows 10/11 desktops[1][2].
The purpose of this plan is to ensure that any security incident detected by Privacy-i EDR is swiftly detected, properly reported,
and effectively responded to and remediated, minimizing damage and meeting compliance requirements.
It defines roles, communication channels, and step-by-step response actions so that security teams can react quickly and consistently to endpoint security incidents.
Scope: This plan applies to all security incidents on company endpoints (desktops and laptops) that are identified by Somansa Privacy-i EDR.
It covers malware infections (including ransomware and fileless attacks), unauthorized or suspicious activities detected by the EDR agent,
and other endpoint threats. Incidents unrelated to endpoints or not detected by the EDR are outside the scope of this document.
Roles and Responsibilities
Security Operations Center (SOC) / EDR Monitoring Team: The SOC is responsible for 24/7 monitoring of Privacy-i EDR alerts and logs.
When Privacy-i EDR detects a threat, it generates an alert in the central management console.
SOC analysts (Tier 1) investigate these alerts and determine if they represent a true security incident.
They are the first line of response, tasked with initial incident identification and classification.
Incident Response Team (CSIRT): The dedicated incident response team (Tier 2/Tier 3 or CSIRT) takes over confirmed incidents from SOC analysts.
This team includes incident responders and forensic analysts who will contain and eradicate threats.
A designated Incident Manager will coordinate the response, ensure communication among stakeholders, and track the incident to closure.
The Incident Response Team works closely with IT support for remediation actions like system isolation or restoration.
IT Support/Desktop Team: Provides support in containment and recovery steps. For example, they assist in disconnecting an affected machine from the network if needed,
deploying patches, or re-imaging systems that were severely compromised. They work under the guidance of the Incident Response Team during an incident.
Management and Compliance: The IT Security Manager or CISO is informed of high-severity incidents.
They handle any necessary escalation to executive management and oversee external communications.
They ensure that any reporting obligations (to customers, regulators, etc.) are met after major incidents.
Management also approves and supports any major remediation steps that impact operations.
Somansa Support (Vendor): Somansa’s technical support and security response resources are available if specialized assistance is needed.
Privacy-i EDR is backed by Somansa’s malware analysis and security response centers[3], meaning expert help can be sought for complex malware analysis or product-related issues.
Somansa provides product support via email and phone during business hours (8×5) as part of the maintenance agreement[4].
The Incident Manager may contact Somansa support (e.g., via support@somansa.com or the support hotline)
if the team encounters an unknown threat that requires vendor expertise or if there are questions on EDR functionality during an incident.
Communication and Contact Points: An up-to-date contact list is maintained with on-call personnel.
For any suspected critical incident, the SOC immediately notifies the Incident Response Team lead (by phone and ticketing system) and the Security Manager.
The Incident Manager will keep management and affected business unit leaders informed at regular intervals.
If required by policy or law, the CISO will handle communication with external parties (e.g. customers, regulators, law enforcement).
Internally, incident status updates will be communicated through the incident tracking system and email updates.
Incident Detection and Reporting
Privacy-i EDR agents continuously monitor endpoint activities and use both signature-based and behavior-based detection engines to identify threats[5][6].
When a potential security incident is detected on an endpoint (such as malware execution, suspicious script, or unauthorized access attempt),
the agent will immediately block or quarantine the malicious activity in real time[2].
For example, if ransomware behavior is detected, Privacy-i EDR’s behavior engine will stop the encryption process and isolate the offending process.
It also captures relevant data (process details, file paths, network connections) about the event.
Alerting: The EDR agent reports the incident to the centralized EDR management console (EDR server).
An alert is generated containing details of the threat (affected host, type of threat, severity, timestamps, indicators).
The console may also categorize the alert according to the MITRE ATT&CK framework tactics and techniques[7], giving analysts insight into the nature of the attack.
The Privacy-i EDR system provides a dashboard with real-time status indicators (green/yellow/orange/red) to reflect the environment’s security status[8].
When an incident occurs, it would be reflected as a high-severity event (e.g., red status) on the dashboard, ensuring it gains immediate attention.
Reporting Workflow: Upon an alert, the SOC analyst on duty reviews the Privacy-i EDR console for details.
The product’s incident management features allow the analyst to annotate the alert, assign it a severity, and initiate an incident ticket.
Privacy-i includes an incident workflow capability – administrators can make decisions or delegate incidents to appropriate personnel as part of a workflow[9].
Using this feature, if the incident appears to involve sensitive data (for example, a data leakage attempt alongside malware),
the analyst might involve a data protection officer or HR (for an internal violation) by delegating that incident in the system[9].
In general, the SOC will create a formal incident record in the Incident Response tracking system, which includes all relevant details from the EDR alert.
The incident is then classified (e.g., Malware Infection, Ransomware, Unauthorized Access, etc.)
and given an initial severity rating (Critical/High/Medium/Low) based on its potential impact.
If the incident is Critical or High, the SOC escalates immediately to the Incident Response Team (by direct phone call to on-call responders, in addition to the ticket).
For lower severity incidents (e.g., a contained malware that was successfully quarantined by the EDR and caused no damage),
the SOC may handle the containment and documentation, and just notify the Incident Response Team in a daily report.
Incident Response Procedures
Once an incident is confirmed and reported, the Incident Response Team will proceed through the following phases in line with industry best practices[10][11]:
1. Identification & Analysis: The Incident Response Team verifies the incident details.
They collect as much information as possible from Privacy-i EDR’s logs and console: which files or processes were flagged, what actions the malware attempted,
and on which endpoints. Privacy-i EDR’s ability to record endpoint behaviors and provide a timeline or process tree of the attack (including cause-effect analysis) helps
responders determine the scope and root cause of the incident[12].
The team correlates this with other data (SIEM logs, network alerts) to assess whether the threat has spread to other systems.
If multiple endpoints show similar alerts, the team identifies all affected systems. This analysis phase leverages Privacy-i’s built-in forensic data;
for example, log and process data are available for search and investigation via the EDR console, allowing rapid root cause analysis[13][14].
If needed, the team may retrieve copies of suspicious files from the affected endpoint (Privacy-i EDR will have quarantined malicious files, making them available for analysis).
They may also consult threat intelligence (Privacy-i EDR receives threat info from Microsoft’s security feeds and Somansa’s own Threat Intelligence (TI) services[15][16])
to identify the malware family or attack indicators. Based on analysis, the team updates the incident classification and refines the response strategy.
2. Containment: In this phase, the priority is to limit the damage. Privacy-i EDR has automated containment capabilities,
such as quarantining malicious files and terminating malicious processes immediately when detected[2].
This automatic first response often halts the attack on the initial endpoint.
The Incident Response Team assesses if additional containment is needed.
For example, they may isolate the affected host from the network (either by instructing IT to disconnect it or using any network isolation feature if available in the EDR agent).
Some EDR solutions allow remote host isolation; if Privacy-i EDR supports it,
the team will trigger that for a compromised machine (to prevent an attacker from communicating out or spreading malware).
All containment actions (quarantine, kill process, network isolation, etc.) are logged.
During containment, the team also might apply temporary measures enterprise-wide if needed.
For instance, if a new malware strain is spreading, they could use Privacy-i EDR to push an updated block rule or IOC (Indicator of Compromise) across all agents.
Privacy-i EDR facilitates this by sharing threat intelligence and newly discovered IOCs with all endpoint agents in real time[16] – meaning once one agent detects a new threat,
all other agents can immediately block the same threat, reducing the chance of lateral spread.
This simultaneous response across endpoints and the network is part of the solution’s design[16].
If the incident involves a compromised user account or suspicious network traffic, containment might also include disabling accounts or blocking IPs at the firewall,
but those steps are handled by the broader security team (with SOC coordination).
Communication during containment: The Incident Manager provides updates to management if it’s a severe incident,
especially if multiple endpoints or sensitive data are involved. Users of affected PCs may be instructed to stop using them temporarily.
3. Eradication: After containing the immediate threat, the team focuses on removing the threat from all affected systems.
Privacy-i EDR’s dual-engine approach not only detects threats but can also assist in removal.
All malicious files identified are already quarantined by the agent[2].
The team will ensure that these files are deleted or remain in quarantine.
They also check for any persistence mechanisms (e.g., malicious registry entries, scheduled tasks) – EDR tools often highlight these.
The responders use EDR logs and possibly additional scanning to confirm no remnants of the malware remain on the system.
If the malware altered system settings or created accounts, those changes are reversed.
In some cases, a full malware removal might require running additional anti-malware scans or using system restore.
Notably, Privacy-i EDR includes a backup and recovery feature that captured system snapshots right before the attack actions occurred[2].
The team can leverage this for eradication by rolling back the system to a clean state. For example, if ransomware encrypted files,
Privacy-i EDR’s real-time backup can restore files to their state just before encryption[17].
The Incident Response Team will coordinate with IT support to execute such rollback or to restore from known-good backups if available.
In situations where an endpoint is too compromised, the eradication might involve re-imaging the machine (wiping and rebuilding it).
Privacy-i EDR helps by identifying the timeline of compromise, so the team knows how far back the system needs to be restored.
Eradication also includes patching any vulnerabilities that the attacker exploited
(e.g., if the incident was caused by a known OS vulnerability, ensure the latest patches are applied).
The team reviews that the endpoint’s OS and applications are up to date to prevent reinfection.
Throughout eradication, the EDR agent remains in place on the endpoint to continuously monitor.
If any malware traces attempt to execute again, the agent would detect and block them, providing assurance that eradication is effective.
4. Recovery: Once threats are removed, the systems can be returned to normal operation.
The recovery step ensures that business operations resume safely. If machines were isolated, they are reconnected to the network after being verified clean.
Any data that was encrypted or lost is restored from backups.
Thanks to Privacy-i EDR’s “Real-Time Backup & Restore” capability, full recovery to the last safe state before the incident is possible[2].
The team uses this feature or alternate backup systems to recover any affected files or systems.
For instance, if a critical file server was impacted by malware, confirm via EDR logs that the malware did not spread there; if it did, restore server data from backups.
During recovery, the team also monitors the environment closely for any sign of recurrence.
Privacy-i EDR will be on high alert, and the SOC will watch for any related alerts.
If the incident was a widespread malware outbreak, the team might run an organization-wide scan
(if Privacy-i EDR offers on-demand scanning or by leveraging existing antivirus capabilities) to ensure no other dormant instances of the threat remain.
The Incident Manager declares recovery complete when all affected systems are verified clean,
are fully patched, data is restored, and normal functionality is confirmed by users or IT.
At this point, any temporary controls put in place (like blocking rules or network blocks) can be reviewed and removed if appropriate.
5. Post-Incident Activity: After recovery, a post-incident review is conducted. The Incident Response Team, along with relevant stakeholders,
will document the incident in detail: timeline of events, how the incident was detected (e.g., “Privacy-i EDR alert for ransomware on PC X at 10:05 AM”),
what actions were taken, and the outcome. They analyze what went well and identify any gaps in the response.
Privacy-i EDR provides logs and reports that are invaluable for this stage – the team can extract an incident report from the EDR console,
including the attack kill chain visualization and all affected objects, to include in the analysis.
A lessons-learned meeting is held to discuss improvements. For example, if the incident revealed that a certain malware was not blocked sooner due to a missing detection rule,
the team will work with the Somansa product team to update detection capabilities.
Indeed, Privacy-i EDR’s integration with threat intelligence ensures that new threat information is updated in real time across all agents[16],
so the specific malware encountered will now be recognized and blocked in the future environment-wide.
The team will also consider if additional controls are needed
(e.g., increasing user training if the infection started via a phishing email, or implementing network segmentation if needed).
Finally, any compliance reporting is completed.
If this incident falls under breach notification rules, management (with legal counsel) will use the incident details to inform regulators or customers as required.
The documented incident response report – structured as per this plan – can be submitted
as evidence during security audits or compliance reviews to demonstrate that the organization has a formal incident handling process.
Incident Severity Levels and Response Times
To ensure timely response, incidents are categorized by severity with target Service Level Agreements (SLAs) for response times:
1. Critical Severity: Incidents that pose an immediate, severe impact on multiple systems or sensitive data (e.g. widespread ransomware outbreak, active attacker on the network).
Response SLA: Immediate notification and response initiation, ideally within 1 hour of detection.
The Incident Response Team and management must be engaged immediately.
Containment actions (such as isolating systems) begin as soon as possible (within 1-2 hours), and a full incident team is assembled on a war footing.
Progress updates are given to management frequently (e.g., every 2-4 hours).
Aim to contain and mitigate critical incidents within 24 hours or less,
with ongoing monitoring[18] (industry practices suggest critical incidents be fully contained in 24-48 hours at most).
2. High Severity:
Incidents with significant impact or high likelihood of escalating
(e.g. malware infection on a single high-value system, or attempted data exfiltration that was detected and blocked).
Response SLA: Prompt – initiate response within 2 hours of alert. SOC escalates to Incident Response Team on the same business day.
Containment should be achieved swiftly (within a few hours).
High severity incidents are typically resolved or eradicated within a target of 1-2 business days, with continuous efforts until closure.
Management is kept informed at least daily.
3. Medium Severity:
Incidents with moderate impact, or isolated issues that are fully contained by the EDR’s automatic actions
(e.g., a malware file was quarantined on one machine, no further spread, and it’s not a novel threat).
Response SLA: Within one business day for initial analysis. These may be handled largely by the SOC with minimal escalation.
Containment is already in place (since Privacy-i EDR likely stopped the threat), so the focus is on ensuring removal and verifying no broader issues.
Such incidents should be resolved within a few days, and a summary reported in periodic incident reports.
4. Low Severity:
Incidents with little to no impact, such as false positives or policy violations that do not involve malware
(for example, a user attempted an unauthorized USB access and EDR/DLP blocked it).
Response SLA: These are reviewed in routine triage (within 2-3 days) by the SOC or security team.
They may not require formal incident declaration. Documentation might be limited to logging in the system.
If any minor action is needed (user follow-up, tuning a rule), it’s done as part of normal operations.
These SLA guidelines ensure that the response is commensurate with the incident’s severity.
The Incident Manager will adjust actual response actions based on context, but at minimum the initial response time goals must be met.
The organization’s policy is to detect, contain, and recover from threats quickly and efficiently[10], thereby reducing harm.
Regular drills and tests of this incident response plan are conducted (at least annually) to ensure the team can meet these timelines and to refine procedures.
Additional Notes and Compliance
This incident response plan is designed to satisfy security compliance requirements and industry best practices.
It aligns with frameworks such as NIST SP 800-61 (Computer Security Incident Handling) and ISO 27035.
All incidents and actions are logged within the Privacy-i EDR system and the incident management system to maintain an audit trail[8].
During compliance reviews or audits, this plan and the associated incident records demonstrate our prepared and structured approach to handling security incidents.
The Privacy-i EDR platform’s built-in incident management and reporting features support our compliance efforts
by providing detailed evidence of detection and response actions (including the ability to generate reports of incident timelines, affected assets, and response measures).
Administrators can produce incident reports and dashboards from Privacy-i EDR’s console to show metrics like number of incidents, response times, and outcomes[8].
These reports are used in quarterly security reviews and help in continuous improvement of both the product deployment and the incident response process.
By following this plan, the company ensures a consistent and effective response to endpoint security incidents,
limiting damage and learning from each event to strengthen defenses.
Somansa Privacy-i EDR, as a key security control, significantly aids in the rapid detection and response part of the incident response lifecycle,
and this document complements the technology with clear human procedures.
All team members must familiarize themselves with these procedures as part of the MVI onboarding and ongoing security training.
Regular updates to this document will be made as the product features or organizational structure evolves, or as new types of threats emerge.
