10 Point Check List to Prepare for a Breach
Security breaches occur on a daily basis. Today it’s not about whether you were breached, but rather how fast you responded. Having your security compromised could cost you your job, your profit, and especially your reputation. These fears often prompt managers to pile up their security features in the hope that it will not be breached. But this is often in vain. Any security measure can be breached by a persistent attacker. While essential preventive measures need to be in place, the real answer lies in early detection, quick response, and effective recovery.
As per Verizon DBIR 2016, less than 20% of security breaches are detected by internal systems. 80% of all breaches are reported by law enforcement, customers, or other agencies. In essence, most organizations are taken by surprise by a breach notification, and react to it after the fact when a planned response is necessary to mitigate the losses and reduce business downtime.
The costs associated with a breach increase exponentially when there is a delay in detecting it. On average an organization impacted by a security breach incurs $4 Million in costs across, forensic investigation, penalties, business disruption, direct losses, legal advice, and reputation impact.
1. Effective asset tracking
Before you can protect your assets, you need to know what they are, where they are, who has access to them, and what their vulnerabilities may be. The following measures should be in place at all times:
- An up-to-date asset inventory
- Business criticality, Asset interconnects, data flow path
- A mechanism to detect rogue assets should they appear
2. Early detection
The quicker you can detect a breach, the less damage it will cause. Three measures will help you detect a breach in its early stages:
- Ongoing detection of possible vulnerabilities
- Round-the-clock monitoring & detection of common threats
- An analytical system that adapts to new threats quickly
3. Instant reaction
Triage is the process of segregating serious threats from false positives & less threatening vulnerabilities. How good is your current triage?
- Does your triage measure how critical the threat is?
- Can your triage analyse the past 90 days to profile attacker behaviour?
- Are threat intelligence inputs prioritised?
- Is global vulnerability exploitation utilised to prioritise mitigation?
- Does your triage exercise an effective reaction in real time?
In 2013, the US retailer, Target, lost 70 million credit cards. In hindsight, what they were missing was effective triaging capabilities. Even with the best security measures in place—including SIEM & FireEye APT—a lack of triage meant not knowing which threats to prioritise. In short, the critical threats were missed because there were so many non-critical ones that distracted the 24/7 SOC team.
4. Rapid investigation
After proper triage has taken place, it becomes apparent which threats warrant investigation and which ones can be ignored. Investigation must take place quickly in order to answer the pertinent questions that will prevent future threats. Skilled analysts need the following five tools in order to determine who presented the threat and how they did so.
- The ability to collect data from multiple assets from one central point
- The ability to run analytical models speedily
- The ability to ascertain the origin and extent of the attack
- The ability to determine attacker attributes & methodology
- The ability to analyse the root cause of the threat
A good example of a preventable incident is the recent 2016 ATM hack in India. Over 10 lakh consumer cards were impacted because of a malware within the ATM network. The malware was investigated and analysed for six weeks. Would the reputation of this bank still be intact if the incident was remedied within six days instead of six weeks?
5. Real time threat containment
Now that you’ve determined the breach, it’s time to contain and eradicate it—and fast!
- Can you isolate a server or endpoint within minutes (rather than days) of a breach?
- Can you perform this isolation without having to shut the entire system down?
- Can you enable an IPS or WAF signature automatically in order to contain an incident?
The best hackers take a long time to explore vulnerabilities before attacking. These vulnerabilities can be detected by you before they’re detected by the hacker. Even the best security teams need early detection systems to perform their duties effectively.
6. Sharing Lessons Learnt
Attackers share breach data on potential targets, tools that work and cracked passwords. Sadly the targeted organizations rarely share such intelligence. Every organization learns new methods for cyber-defense - an attempted breach or a security loophole that was exposed by an attacker or by a smart employee, vendor or customer. Everyday organizations collect threat intelligence on attacker identity and the techniques they deploy against them. If only we had mechanisms, forums, and methods to share such intelligence which lies within individual organizations and use these for the common benefit! To do this, you need to ask yourself:
- Are you collating information regarding attacks that target your environment
- Do you participate in forums where such information can be shared
- Are you part of forums like FS-ISAC, IT-ISAC which collect and share information at a global level
Your 10 point checklist for breach preparation
- Are you aware of all existing assets on the network?
- Are you capable of identifying new assets when added?
- Do you track vulnerabilities in your assets?
- Do you monitor for threats in real time?
- Do you monitor for all well-known threats using signatures and past cases?
- Do you hunt for unknown and advanced threats?
- Does your monitoring system segregate true incidents from the rest?
- For real incidents, can you perform incident investigation within minutes?
- Does the investigation platform identify the root cause and overall threat impact?
- Can you isolate an impacted system, service or network in near real time?
Remember that all security measures are vulnerable. Begin to customise your protection to ensure it detects a breach quickly, responds to that breach, investigates the vulnerability, and instantly contains it.