Part 1 | Get Ready For The Inevitable: 5 Ways To Prepare for Incident Response

In Compliance, Data Flow, Data Lineage, Data Privacy, Governance, Information Management by clairvoya

Part 1 of a 3-Part Incident Management Series

Data breaches are inevitable and are becoming more frequent and damaging—in 2019 alone, over 7,000 data breaches were reported, averaging nearly 20 per day. This is an unfortunate consequence of increased data sprawl, cyberattacks, and security challenges in a remote and distributed work environment. This means that every organization should be prepared to rapidly identify and secure sensitive data: the only question is whether this happens in response to an incident or in preparation for one. 

Breaches carry a high cost: the average data breach costs $3.86 million and takes an average of 280 days to contain. During a cybersecurity incident, a rapid response can make or break the business. The longer an attacker has access to an organization’s systems, the greater the potential for business disruption, reputational damage, and real cost for the company. For many cyberattacks, the target is sensitive customer and company data: stolen and sold, or encrypted with ransomware for a bounty. 

To shore up information security posture in advance of the inevitable, the first step is to gain visibility into sensitive data and how it flows across the firm. Here are 5 ways to be ready for (and successfully navigate) a potential data breach incident:

1.  Know the Attack Surface

Organizations can’t protect what they can’t see or don’t know about, nor can they secure every access point to data. While organizations often put increased controls around their “crown jewels,” sensitive information proliferates throughout the organization in unexpected ways and lives in less secure locations. Cybercriminals commonly targeting “low hanging fruit” through more vulnerable applications, unsecured backups and file saves, etc. 

Whether in preparation or in response, it’s critical to have the full picture of an organization’s attack surface. Gaining visibility into sensitive data—what’s in it, where it’s stored, and how it moves throughout an organization—can uncover security gaps in advance of a cyberattack or incident. 

2.  Monitor Data Flows

A “successful” breach not only involves gaining access to sensitive information but also the transfer of that data to outside sources. A lack of visibility into data flows is the primary reason it takes so long to contain a breach—the organization may be aware of the breach and the potential data contained within it, but if it doesn’t know how the data made it through its network perimeter, the breach isn’t contained. 

Monitoring data flows can speed detection and improve response to a potential breach. By tracking data as it leaves the organization, an anomaly such as a large transfer of data can signal a potential breach and enable controls and security measures to be activated rapidly and effectively.


3.  Have a Triage Plan

Cyberattacks can be complicated. Many gain initial access to one part of an organization’s network then move laterally to attack other systems. The footprint may start small, but it grows to encompass a significant portion of the organization’s ecosystem.

During incident response, it’s critical to know everywhere sensitive data lives so that the situation can be triaged effectively. Triage will consider the importance of the systems in question and the data contained within, as well as potential risks to other systems if the infection spreads. With full visibility into sensitive data and where it’s located, the triage plan can quickly prioritize certain systems for quarantine, analysis, or remediation and minimize the impact of the attack. 

4. Identify Internal Threats

80% of cyberattacks involve a user account with elevated privileges. While the attack could be from a disgruntled or malicious insider, in most cases, internal accounts were compromised via phishing, credential stuffing, or other attacks.

Whether or not the attacker is coming from within the organization is less important than rapidly identifying the user accounts involved for effective incident response. Gaining visibility and insight into internal data flows shows who accessed the data and what they did with it, which may allow incident responders to narrow the focus for further analysis and terminate the attacker’s access to the network.

5. Report Quickly and Correctly

The regulatory landscape grows more complex and carries greater requirements for compliance. Under regulations such as GDPR and CCPA, organizations have new responsibilities for reporting incidents. All 50 US states, 132 of 194 countries, and numerous industries have implemented data protection regulations or data breach notification laws, each with different requirements. 

While there is a lot of complexity, one common requirement is that data breaches are to be reported to regulatory authorities and to the individuals impacted. In some cases, this needs to happen within 72 hours of discovering the incident.

Within this three-day window, it is necessary to answer several different questions, including:

  1. Was any sensitive or protected data breached?
  2. Which regulators must be informed?
  3. What is the scope of the breach?  What happened?

Rapid answers to these questions can be found by gaining full visibility into an organization’s data and internal data flows leading up to and during a breach. By tracking data lineage and flows, the organization can identify any breached data to determine both the scope of the incident and its reporting requirements.

Be Ready with Clairvoya

If you don’t want to be caught on your heels in response to a breach situation, you need to be prepared to respond quickly, effectively, and with confidence. Any successful incident management approach will start with gaining a deep understanding of the data ecosystem and where sensitive data lives and moves within it. Clairvoya’s software offers automated data discovery and classification, as well as tracking of data lineage and flows, to deliver full visibility and insight into sensitive data so that it can be rapidly contained in the face of a breach.