Data breaches are inevitable. But the ways IT leaders respond to them are not.
A rapid, effective response can make the difference between results that are catastrophic at all levels -- brand identity, market share and financial health -- and those that are relatively harmless.
As more than one expert has said, it is impossible to prevent all breaches, but if a response team can prevent attackers from completing their mission, or even reduce the damage they do, the good guys have won that battle.
And a lot of what makes a response effective is what happens in the hours immediately after it is discovered. Several vendors have published "checklists" of what to do during the first 24 hours after a breach is discovered, including the credit monitoring firm Experian and Smith Anderson, a law firm in North Carolina.
But security experts, while they agree that checklists adapted to the needs of different organizations are good, say there is no way to perform the items on those lists effectively without intense pre-planning. In a world where the reality is "when," not "if" a breach will occur, a little worst-case paranoia can be the only way to keep an organization in the "relatively harmless" camp.
"The last thing an organization wants to do in a full-blown crisis is make up a crisis response plan," said Greg Mancusi-Ungaro, CMO at BrandProtect. "It is much better to work from an established plan, created during a time where choices and procedures can be drawn up, debated and revised."
Tom Evans, CSO at Cognia, agrees, saying that if organizations have not planned and trained in advance to spot and mitigate a breach, then the best they should do is, "leave power on, isolate, do not touch, call a specialist."
Andrew Avanessian, vice president of professional services at Avecto, argues that post-breach strategies are "fundamentally flawed" because they are "reactive and based on fear."
Organizations should have a data breach strategy, he said, but it should be "proactive," which means, "IT infrastructure projects will take a little longer to deploy, but the amount of time spent firefighting after the fact will be significantly reduced.
Lucas Zaichkowsky, enterprise defense architect at AccessData, said it is almost impossible to do an effective forensic investigation without, "rapid visibility into live systems, network traffic, and most importantly, historical data."
And that, he said, requires "extensive logging in place with a high retention period, the ability to rapidly search endpoints at an enterprise scale for indicators of compromise and retrieve forensic data from systems accessed by the attacker."
Unfortunately, the lack of that kind of planning or preparation is common. A recent survey of more than 340 CIOs, CSOs, IT directors, managers and auditors by consulting firm Protiviti found that 34 percent admitted that their organizations had no formal breach response plan, and another 10 percent said they didn't know if their company had a plan.
And security vendor Lancope and the Ponemon Institute reported in January on a survey that found that half of the 674 respondents said incident response (IR) was less than 10 percent of their security budgets.
Several experts say it is very likely worse than that. "It seems like a low number to me," said Orlando Scott-Cowley, director of technology marketing and resident security expert at Mimecast, who added that too many companies, "talk about the P principles -- Proper Planning and Preparation Prevents Poor Performance -- in hindsight."
And while many in key financial districts or industries in hurricane or tornado-prone states have plans in place, "others who would normally never feel the need to be threatened often don't prepare," Scott Cowley said.
David J. Bianco, Hunt Team Manager at FireEye, agreed. "I expect the number is much higher, especially when you consider that, 'We have a plan' doesn't say anything about how good that plan may be."
Planning for a breach ought to be a given, they say, because it is almost a given that it will happen. Bianco, Evans, Mancusi-Ungaro, and Wendi Rafferty, vice president of services at CrowdStrike, offer a number of recommendations for a pre-breach plan:
- Establish roles and responsibilities of everyone on the IR team, ideally with 24-hour contact information that includes third-party vendors, IT & IT security, senior management, business unit leaders, legal counsel (both internal and external), PR and customer ombudsman.
- Rehearse IR scenarios with all internal stakeholders.
- Draft PR statements for a variety of scenarios, because there will likely not be time to do so effectively when a breach occurs.
- Establish relationships with local law enforcement authorities, including the FBI and Secret Service, to have a point of contact when a breach occurs. That will lead to faster response in a crisis.
- Get data breach insurance.
- Implement role-based account access and monitoring of that access, which will help to quickly identify unusual and potentially malicious activity.
- Train all staff members to spot and systematically report information security incidents and near misses. This can lead to detection before an actual breach occurs.
"More and more, the weakest link in a company's security chain is employees and families," Mancusi-Ungaro said. "It is impossible to overstate the importance of helping them maintain vigilance in all their online activities.
"The threats come from almost any direction -- rogue emails and websites that capture personal information or malicious mobile apps that gain access not just to a personal address book, but also to log-in and network credentials."
And once the inevitable happens and a breach is discovered? The critical overall goals following the discovery are to make your organization secure again, preserve evidence (like you would for a crime scene because, after all, that's what it is) and protect your brand, market share and profitability.
To achieve that, the consensus among online posts and experts who spoke with CSO say the response in the first 24 hours should include the following:
- Document everything, including the date and time of the breach, when it was discovered and when your response began.
"Good information about what happened and when is going to be critical for your response team, for reporting to management, for law enforcement efforts and, potentially, to help protect yourself during legal proceedings," according to Bianco.
- Interview the person(s) who discovered the breach.
- Secure the premises where the breach occurred to preserve evidence. "This includes preserving memory, live response data, and taking offline forensic images, even if they are simply stored for later analysis," Rafferty said.
To that, Zaichkowsky adds, "quickly preserve data with a short lifetime before it's overwritten such as captured Internet traffic and volatile data from known compromised endpoints."
- Determine what was stolen or compromised and how.
- Determine what security measures, such as encryption, were in place when the breach occurred.
- Align compromised PII with customer names and addresses for notification.
- Notify your legal counsel, privacy and compliance teams, and determine if you need to notify law enforcement.
"Make sure investigative materials can be labeled 'attorney-client privileged' and disclosure and notification requirements are tracked from the onset of an incident," Rafferty said.
- Prepare to meet your notification requirements.
- Choose a spokesperson.
- Be upfront and transparent. If you delay or try to cover up news of a breach, it will simply prolong media scrutiny and increase damage to your brand.
- Notify various stakeholders, including investors, management, IT, HR, external consultants, third-party partners and customers. Remember that data breach notification can require much more than sending out form letters. Different states have different requirements.
- Provide a call center for identity protection and fraud resolution for affected individuals.
Lists like that will probably be necessary for a long time, Avenessian said, since there are "massive problems" within the IT professional community.
The majority of defenders, he said, don't think strategically because they are technicians and "think in terms of tools and tactics."
They are also under pressure from boards made up of executives with sales and finance backgrounds who want technologies employed quickly, without taking the time to build security in.
Finally, security is not "sexy IT," he said. "That has to change -- education is key here."