Don’t panic! Six steps for surviving your first data breach
- Published: Friday, 06 March 2015 10:14
By Joe Schreiber
Once you’ve come to terms with the harsh reality of the world, you come to understand that sooner or later, you will be the victim of a security breach. Chances are that it may not be this month, or even this year, but as the insightful Tyler Durden so shrewdly observed, “On a long enough timeline, the survival rate for everyone drops to zero.”
Getting breached doesn’t establish whether or not you have a decent security program in place: but how you respond to a security breach does.
If you come to accept Murphy’s Law; that everything that can go wrong will do so – and usually with the worst possible timing, there are several steps that can be taken today to help soften any future blows. These motions that you can set in place give you the ‘freedom’ to expect the unexpected.
Try to rid yourself of any notion that the work you do in network security is ‘protecting’ the company’s assets. Your mission is to look into and analyze how the network can be attacked, with the anticipation that you can control the battlefield smoothly enough to be able to respond to all attacks satisfactorily. So, think strategically about what can be done today and what can be delayed for later. The following are six key actions you can take to make sure you and your organization are more than prepared.
1. Establish and develop relationships that extend further than the IT department
If you enjoy meeting new faces within your company, a security breach gives you the opportunity to do exactly that — even if it’s at the worst possible time. A breach is going to inevitably involve personnel from a vast range of departments: legal, executive, and PR to name but a few. Having an established an understanding with these groups of how your and their jobs will interact during a security breach can save a lot of time that’s usually wasted with rushed drafting of paperwork and prevent tense meetings during a time of crisis.
2. “I told you so” – but more importantly move on
We tend to have this idea in information security that the work we do is possibly the most important thing in the company; that without us, the entire organization would deteriorate, crumble and be raided by bandits. Well it’s time to accept some cold harsh truths: there are much greater risks to a company’s operational capacity and profitability than a security breach. Keep in mind that your job isn’t to guarantee this breach won’t ever happen, but to soften the blow when it does.
3. Comply with regulations, but then go even further
This may be preaching to the choir - and we understand that Compliance Is Not Security - but understand that an unmonitored security control is worse than having no control at all. An intrusion detection system that doesn’t have somebody actively administrating it and looking at the alerts is just another target for intruders to use against you (and one with significant access to all network traffic!) Just because you’re in an industry that is required to keep all log data for 90-days doesn’t mean you shouldn’t store logs for a longer period of time. After all, log management should be part of your security solution. Security breaches don’t happen in a mere matter of minutes: the preliminary signs of intrusion and its origin may show up in logs from several months ago. At the end of the day, when you need them you’ll be glad you kept them.
4. Provide the people with the answers they need, not with the answers they deserve.
From end-users to executives, the number one priority during a breach is information: information that’s going to take time to acquire. Making clear decisions and acting on them is the top priority during breach discovery and remediation. Give your users clear, absolute answers on why you’re shutting down large portions of the network unannounced and then do it if that’s what’s needed. While it’s vital to share information on the incident, it’s more important to actually investigate it. Consider setting up some type of rapid response communication to stakeholders to avoid the inevitable time wasting one-off replies to “What’s the status?”
5. “When you have eliminated the impossible, whatever remains, no matter how improbable, must be the truth.”
The perpetrators of the crime you are investigating are just human beings: the likelihood of them possessing any supernatural powers or genius levels of intelligence or even the ability to time travel, is highly unlikely. While you’re investigating you will probably find yourself having many “How did they do that?” moments. Well, the simplest answer is usually correct. Keep a clear head and stay rational: this is not the time to take a trip down the rabbit hole. What you are trying to unravel in days, the hacker may have taken many months to put together, but remember: you have the advantage of being able to work backwards to the beginning of it all.
This is the time when those checklists of things to cross-examine during more mundane investigation tasks become invaluable. Between the forensics, remediation and information gathering your sanity will be tested; however, nothing keeps your sanity like a good list of things to reference against to know you’ve turned every stone.
6. Practice, practice, practice...
Practice makes perfect. I know this one is obvious, and I don’t intend to insult your intelligence by including it here, but I also know you’ve been wanting to get some bench exercises performed in your security group for quite some time — and yet, it keeps getting put off in favour of more pressing, real, work. Well stop it, now.
As a security professional your work is absolutely *centred* on the inevitability of the worst-case scenario. Why aren’t you preparing and practicing for that scenario? Has your company engaged the services of a pen-testing company recently? Did you treat their actions as a breach to be investigated? Did you match what you were capable of detecting and investigating against their report?
No matter what it takes, get the practice in now — because when the time comes for points 1–5 to take effect, the last thing you want to be doing is playing it by ear.
Now, if you could learn everything you needed to know about investigating and recovering from a security breach in a six-point article, those who have been through one would not speak of their experience in whispered, fearful tones. Unfortunately, like many things in life, only experiencing firsthand the real thing is going to prepare you for the next time.
Finally, remember it’s not usually the technical aspects of a security breach that will test you - of course such a situation will usually give people the opportunity to bring the full brunt of their skills to bear - but the organizational duress that results. Repeat after me: “Don’t panic!”
Joe Schreiber is solutions architect at AlienVault.