It should come as no surprise to hear that the faster you can identify and contain a security incident, the less costly it will be, hence why it is crucial that any organization that stores large amounts of valuable data has a tried and tested incident response plan (IRP) in place.
Yet, as much as 77% of companies don’t have a formal IRP, according to a recent IBM survey. Of course, there’s nothing special about an incident response plan (IRP), it’s really just a way of ensuring that organizations are prepared for the worst, and have a formal procedure to follow, in the event of a breach.
Below are some pointers which can help organizations reduce the operational, financial and reputational impact of a security incident.
Identifying the Incident
A security incident is any event which may indicate that an organization’s systems or data have been compromised, or that the security controls in place have failed. To establish whether our systems and data have been compromised we need to be able to detect anomalies. However, in order to detect anomalies, we must first establish a clear understanding of the types of events that are considered normal and use this as a baseline in which to test against.
While there may be techniques that enable security teams to perform such an analysis manually, this would not be the recommend approach, as it would be highly unlikely that they would be able to gain the visibility they need to detect and correlate events in a timely manner.
Instead, they would be better off investing in a platform that uses machine learning to establish typical usage patterns and alert the security team of any events that deviate from this pattern.
Carrying Out a Forensic Analysis
Once a breach has been detected, security teams will need to gather up as much information as they can regarding the severity of the breach.
A real-time auditing solution will aggregate event logs from multiple sources and display a summary of these events via an intuitive dashboard, which security teams can search and filter.
As a starting point, security teams will need to know what type of information has been affected by the breach, as this will help to determine what they need to do next.
Preventing the Attack from Spreading
Regardless of the tools and technologies an organization chooses to adopt, it is always good practice to adhere to the principle of least privilege (PoLP).
PoLP is based on the idea that users should be granted the least privileges they need to be able to do what they need to do. PoLP helps to restrict the movements of cyber-criminals by preventing them from moving laterally across the network, were they to find their way in.
Once the security team has performed an initial investigation to determine the severity of the incident, they will need to act fast to prevent the attack from spreading. Such actions may include disconnecting the network from the internet, disabling all remote access, changing the firewall settings, and resetting all relevant credentials.
If necessary, they may need to shut down all affected systems and scan all drives, devices and applications, for signs of infection. Once the incident has been contained, security teams will need to closely monitor all affected systems to ensure that the incident doesn’t come back.
Automation technologies can also help us contain cyber-attacks. Most real-time auditing solutions can detect and responding to security incidents based on a pre-defined threshold condition. In the context of a Ransomware attack, if x number of files are encrypted within a given time-frame, a custom script can be executed which can disable a user account, stop a specific process, change the firewall settings, or shut down the affected server.
This is just one possible use case of threshold alerting, although it can be applied to any patterns of behavior that deviate from the baseline beyond a certain threshold. When we start to combine threshold alerting with AI and threat intelligence, we will be in a much better position to contain cyber-attacks in a fast and efficient manner.
Notifying Customers and All Relevant Stakeholders
Once we have taken the appropriate measures to identify and contain the security incident, it is time to disclose information about the breach to the public.
It’s understandable why many organizations hesitate when it comes to admitting that they have a suffered a security breach, however, a failure to do so could result in a loss of trust, and it would be very hard to get that trust back.
It is imperative that they provide clear and concise information about the incident, including information about who is affected and how. They will also need to reassure their customers that they have the situation under control, and that they have taken all of the measures possible to prevent the attack from reoccurring.
Keeping them Keen
In the event of a serious breach, organizations may need to “go the extra mile” in order to retain the loyalty of their customers, which might include offering free stuff. For example, offering identity protection and recovery services, such as credit monitoring and identity theft insurance, would surely illustrate that the company is committed to keeping their data out of the wrong hands.
Organizations must provide as much information as they can to help those affected, which might include information about how to freeze their credit cards or get a free credit report, as well as any relevant phone numbers and websites.
At the end of the day, data breaches happen, and they happen to the most prestigious organizations. Organizations should explain to their customers why the problem persists, and what they plan to do to resolve it.
It is important to remember that just because you have successfully identified, contained and disclosed a data breach, and managed to come of out of it relatively unscathed, doesn’t mean that you can sit back and relax. It is imperative that organizations adopt a pro-active approach to keeping their systems and data secure.
They need to be continuously monitoring their privileged accounts, files and folders for suspicious activity. They need to ensure that they have an ongoing security awareness training program in place, and that their incident response plans are periodically reviewed and updated according to any changes in the threat landscape.
In addition to keeping abreast of the latest security threats, they need to be informed about any new technologies entering the market that can help them minimize the chance of another data breach.