Virtual CISO

Apr 5 2016   4:48PM GMT

Breach Detection, Breach Mitigation, & Incident Response

Jeromie Jackson Jeromie Jackson Profile: Jeromie Jackson

Tags:
Breach detection
breach notification
Incident response

Breach

Breach disclosures are hitting the news almost daily. Cryptolocker and other ransomware attacks are occurring at an alarming rate. IT executives and compliance personnel continue to be dismissed in the cleanup process. Organizations who have traditionally been lean on their security spend are now taking a good hard look at the security of their environments. Make sure your organization has taken appropriate steps to ensure your job, and your organization are not the next victims of cybersecurity breaches.

Security Controls
Without a centralized set of security directives organizations haphazardly address security where needs are identified. Overlapping controls, multiple systems to support the same function and dispersed management causes significant inefficiency. Organizations who align their information security program to a control framework are able to align regulations and industry requirements and security goals to deliver efficient, optimized and prudent information security programs.

Controls consist of 5 facets. Policy describes management expectations through security directives. Procedures describe how these directives are to be implemented within the organization. Implementation details need to ensure all in-scope systems are covered and no weak-links in the chain exist. Testing of the control needs to occur on a regular basis to ensure it continues to work as intended. Training is required to educate users and administrators to ensure policies and procedures are upheld. By focusing on controls that address breach detection, incident response, and end-user training organizations can dramatically reduce the cost, effort, exposure and impact of breaches.

Detection
Detection is key. Attackers on average are lurking within an organization’s environment for 205 days before being discovered, and 69% of the victims learn about the compromise by a third party (1). Several technologies have evolved to mitigate the risk including advanced malware detection systems such as (Companies), threat lists including (Lists) and advanced analytics (Examples).

Incident Response
Incident response is a critical component to a quality information security program. Today people understand it is not if but when they will be breached. Being able to quickly identify, triage, mitigate, and restore services to proper working order is vital to reducing the cost of an incident. It is highly recommended to use a well-known framework as opposed to rolling your own to ensure you cover all the bases and mitigate previously identified risks. We have been working extensively with the NIST CyberSecurity Framework along with the NIST Incident Response Guide & SANS Institute recommendations to assist customers with preparing for the breach.

Testing & Training
For two consecutive years more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing (2). An overall information security awareness training program should be developed. Education of both business and technical staff is required to ensure controls are implemented as intended. I recommend implementing information security awareness training calendar to ensure security remains top of mind for all parties. Leveraging multiple vehicles such as online messages, newsletters, posters, email, training sessions, table top exercises, penetration test and social engineering emphasize the users need to remain diligent with their information security roles.

Containment
There seems to be significant movement towards focusing on the data as opposed to the pipes and servers. Through the use of encryption, tokenization and other techniques compromise of the data, even when the servers are compromised, is mitigated. We are also seeing many customers assess both their structured and unstructured environment to determine where sensitive data and risks reside. Leveraging automated taxonomy and data classification techniques we are assisting many to put both of the data silos in a risk portfolio. If you do not know where your sensitive data resides you cannot appropriately secure it. We are also seeing significant interest in the PCI environments where organizations are looking to tokenize credit card to mitigate requirements for PCI DSS.

Audit Capabilities
I will use any customer example to describe how important it is to be prepared with adequate logging facilities prior to increase. We had a customer visited by several FBI agents on a Friday afternoon informing them they were leaking significant amounts of proprietary data about the products they manufacturer to a destination in a foreign country. Needless to say this was not the customer but an attacker siphoning intellectual property. Parachuted into the event, we identified the breach was originating with valid credentials through a VPN connection. Our next step was to identify where this inbound connection went within the network. We asked the customer for their logs – they had none. The results was a $246,000 service engagement to have a troop of senior engineers ascertain the damage. Do not be like this customer. If you do not have centralized log aggregation and archiving get some immediately!

Cyber Insurance
There are 4 ways to respond to risk: Mitigation, Avoidance, Transference, and Acceptance. Mitigation includes applying best practices, removing default passwords and configurations and implementing countermeasures to mitigate the risk to an acceptable level. Avoidance would be staying away from the potential risk all together. Transfer is the migration the risk to an external party. This may in the form of cyber Insurance, managed services and cloud offerings. Finally, accepting the risk says the business owners are willing to accept the risk and roll-the-dice. Depending on the risk and the industry each of these mitigation techniques have their place.

Prepare
As with most disasters and security incidents, it is much better to prepare as opposed to attempting to triage under high-stress without plans. By implementing a control framework and risk portfolio organizations are able to prudently maximize their human and monetary resources. A quality Incident Response Plan that has been vetted and tested will significantly improve recovery times. Finally, ensure you are testing and training your users consistently to ensure security remains top-of-mind. Security is complex and always evolving- leverage frameworks and testing your defenses are some of the best methods to ensure your organization is prepared.

(1) Mandiant M-Trends 2015 Report
(2) Verizon 2015 Breach Report

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: