Breach response is tied to big data

Scott McIntyre spent over a decade as the chief security officer for the oldest ISP and telco in the Netherlands. Now, he’s the chief security specialist for Telstra. His career has spanned Internet/IT security for nearly 30 years. He believes the Internet can be re-claimed by those who want to do good, and shouldn't fall prey to the creepy behaviour our headlines are being filled with.

McIntyre posits that incident responders know that large amounts of technical data are needed for investigating computer security and privacy incidents, but the aggregation of data creates significant risks for most organisations. With many breaches being related to poor information security controls around big data, there’s a balancing act between minimising risks and using technology to help us prevent, detect and respond to incidents.

McIntyre’s roll at Telstra means that he is often asked to provide a “security sign off” when a new application or service is going to be launched.

“I explain this to them. It’s more of a conversation. We will find out about risks and learn about controls. We will compensate for them. There will be technologies, policies… this is all really important for your project to be able to conform,” he said.

The trouble with this, according to McIntyre, is that it’s often the day before going live that his team is brought into the discussion. And the discussion often starts by thinking about threats and putting in place steps to prevent or block potential attack vectors. During his presentation at AusCERT 2014, McIntryre said the conversation sways from this position to one where the business starts to think about the consequences of a breach.

According to the Ponemon May 2014 report, the cost of data breaches increased by 15 per cent over last year. The average cost of a breach has now been pegged at US$3.5.

McIntyre noted that businesses don't want to learn about potential vulnerabilities via Google News alerts. “The majority of data breaches are found by external notifications."

Systems may be designed with data in another hemisphere or a need to move hundreds of gigabytes of data in order to protect valuable assets but this complicates threat response if a problem is detected. Very few businesses consider how to extract their own data in the event of a problem with a SaaS provider. Rapid access to data from those systems is key to analysing threats so that an appropriate response can be initiated.

It’s also important that information is presented to stakeholders quickly. This is where latency is critical as data may not be onshore.

“Time is the one commodity that executive directors have zero of and certainly would not consider calls at two o’clock in the morning where the answer is ‘it’s on its way', what they want to hear,” he said. Part of that management response needs to be what McIntyre called “management porn” – visualization of the data to help management understand and have confidence that you know what you’re doing.

Although there are some well established threat response frameworks companies can follow, McIntyre noted that "lots of the response process is out of our control”.

A critical place to start, in order to have better threat management and resolution, is to actually know what data you have and where. This is one area where McIntyre sees Australian businesses languishing. There is a lack of attention being paid to what legal jurisdictions data is stored in.

With the number of threat actors and vectors continuing to rise and the cost of breaches increasing, it’s important that businesses ensure that at the conclusion of every incident response time is taken to evaluate what has happened.

"You must learn from any type of data breach or incident."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags data breachesdata securitybig dataAusCERT 2014

More about CSOGoogleScott CorporationTelstra Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts