Be prepared for the breach that's headed your way

If we learned anything in 2014, it was that no one is immune to a massive data breach. If one hits you this year, are you going to have the visibility that will let you tell the executive team what they need to know?

January 2015 is already winding down, but it's not too late to think about the lessons of 2014. For anyone in information security, 2014 was a year marked by spectacular breaches. It ended with Sony Pictures Entertainment getting its clock cleaned by hackers, quite possibly from North Korea. Wouldn't it be great if 2015 doesn't include the same sort of clock cleaning at your company?

Having run thousands of incident response operations over the years, I have come to appreciate the value of visibility. I'm talking about meaningful data collection, from the network layer up to the applications. I'm talking about data that can help the computer security incident response team (CSIRT) understand with a high degree of confidence what happened. You can take steps to make sure that your CSIRT will have that kind of data, well organized, so they're not lost in a sea of meaningless data or grasping for clues with no data at all. If you do nothing to improve visibility, your CSIRT might be able to draw some basic conclusions about an incident, but chances are they won't be able to tell executive decision-makers what they really want to know: precisely what happened in an incident and the extent of the business impact.

So my suggestion for 2015 is to increase your ability to see an incident. Make it a goal to be able to accurately and rapidly establish your situational awareness during and after an incident. Good situational awareness is vital to your executive team as it sets out to make the difficult business decisions in the wake of an incident.

First, take stock of what you already have in place for visibility. Take a critical look at your event logging, data analysis, data retention, etc. Start at the network level, and ensure that you can see into all of your mission-critical networks. Then move on to other networks, such as those for connecting desktops and mobile devices. Do an inventory and establish a clear picture in your mind of how well the data you're already collecting will help you reconstruct the events around an incident. You need to know what your current abilities will do for you situational awareness.

Next, you should move up to your servers: application servers, departmental servers, etc. Do another inventory and determine what logging is in place and how it relates to and correlates with the network-level data. Figure out how well that data will help you determine the business impact of an incident. Even though server logs can probably shed only a small amount of light, you still need to know just what information they contain and how best you can leverage that information during an incident.

Finally, you need to assess your business applications. Whether they are internal business applications or customer-facing ones, you need to know what logging is taking place and how it can be used to tell the story of an incident.

When you've taken stock, it's likely that you'll see that your logging layers provide different perspectives on incidents. More importantly, there's a good chance that the logs aren't even stored in the same place and that they are viewed by different teams in your network operations and security operations centers.

And now that you know what you have and where it goes and who sees it, you have to figure out how you can use those multiple perspectives to build a single view of an incident. There are products that promise to help you with that, but the principle of "garbage in, garbage out"always applies. The tools are only as good as the data they receive.

The important thing is to make sure that, should you be hit by an incident, you will have the situational awareness that your executives need. For them, whether something happened at the network level or the application level is immaterial. They just want to know the business impact. They want a damage assessment and a course of action.

So in 2015, that's what you should be prepared to give them. To get there, take a critical look at your visibility and make an action list on how you can improve things. Imagine various event scenarios and determine just what sort of data you'd likely find and how useful that data will be in telling the executive team what they need to know.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitysecuritydata breachSony Pictures EntertainmentSony Picturessony

More about MellonPara-ProtectSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place