Part 2 of a 3-Part Incident Management Series
Data breaches are increasingly prevalent and virtually inevitable. In 2019 alone, over 7,000 data breaches were reported, averaging nearly 20 per day. In Part 1 of this Incident Management series, we covered how to prepare for a breach—but sometimes, despite the best of intentions, organizations just don’t have the bandwidth, budget, or resources to prepare the way they should in advance of an attack.
If the opportunity for preparation has passed and the inevitable has become reality, all is not lost. There are actions an organization can take in a breach to quickly gain visibility and control—here are 5 tips to step confidently through a response situation, whether prepared or not.
1. Contain the Perimeter
If a data breach has occurred, the organization has already lost control. Sensitive data has broken the network perimeter, and it can no longer control where the data goes and who sees it.
In the aftermath of a breach (or even a potential breach), it is essential not to make the problem worse. While sending data to outside specialists for analysis may make sense, the more people who touch the data after the incident, the higher the risk to make the situation worse.
Don’t exacerbate the situation by sending data out to be investigated indiscriminately. Do as much of the breach analysis in your environment and be selective about what’s sent out to limit the potential for additional issues.
2. Establish a Baseline
Post-breach investigations are expensive, complicated, and time-consuming. Without knowing what or where to investigate, the price tag will just keep increasing.
Limiting the scope of the investigation requires understanding what needs to be assessed. To do this, establish a baseline by building up layers of knowledge and data in a progressive fashion:
● Step 1: Number and Location of Systems: How many systems does the organization have and where are they located? Starting with a complete inventory helps to ensure that something’s not missed before an investigation begins. It’s easier to apply intelligence about how or where the breach occurred to sharpen an investigation’s focus when you understand the entire network landscape.
● Step 2: Types of Systems: What type of data is stored in these systems – structured, unstructured, or semi-structured? This knowledge will define the kinds of tools that will be needed and could provide a high-level indication of the type of data that’s been compromised.
● Step 3: File Inventory: Create an inventory of what’s contained on those systems such as file count, type, paths, age, etc. Similar to Step 1, doing so enables investigators to reconcile as they review and guarantee that the entirety of the individual systems have been addressed.
● Step 4: File Content: Determine what you want to identify in the data to confirm whether it’s been breached or not. Is it SSNs,addresses, payment card data, account numbers, etc.? Or intellectual property, source code, contracts or the like? Identifying what’s in scope through Steps 1-3 may help determine potential impact, refine what you need to look for, and assist in sizing applicable regulatory compliance requirements.
3. Speed to Insight is Critical For Triage
Time management is critical during a data breach investigation. If an attack is ongoing, finding it quickly may mean less exposure from both a data loss and expense perspective. Post-incident, organizations must perform rapid investigations to meet regulatory reporting deadlines and reassure impacted parties.
To optimize the data discovery process, here are three tips to gain rapid insight:
● Go for Speed: Choose tools that can be implemented quickly with a light touch. Building out infrastructure will cost time and money.
● Focus on What’s Important: Use the baseline to narrow the investigation’s focus and increase its speed. For example, eliminating certain file types (based on NIST), focusing on recent data, and ignoring duplicate files can dramatically speed up an investigation.
● Sample Then Prioritize: For large volumes of data, investigating everything can be time consuming. Use a sampling approach to perform a rapid initial triage and provide the focus for deep dives. This approach compresses timelines (by eliminating time wasted on low-value targets), minimizes cost, and targets the data that requires more in-depth analysis.
4. Deep Dive on Only What’s Relevant
Now we have a good idea of the data’s overall composition. Certain systems or files have been flagged, others contain little or no value.
This is the time to perform deep dives into the targeted areas of interest. It’s far faster and less costly to perform scans and other expensive forensics on smaller datasets. By determining where to focus efforts rather than broadly and blindly interrogating all data on the network, the necessary level of insight (to build notification lists, report to regulators, etc.) can be achieved without wasting time and resources on what doesn’t matter.
5. Prepare for the Future
Everyone says, “it’ll never happen to me.” Then, once it happens, “it’ll never happen to me again.” However, this is wishful thinking: 31% of organizations that experience a breach are attacked again within the next year.
An attack, whether successful or not, is a learning experience for any organization. It shows how and where the network and data could be breached and highlights gaps or inefficiencies in processes and tools for data visibility and security.
Perhaps equally as important as how an organization responds during an attack, is how it rebounds and reinforces itself after the incident. This is an opportunity for the organization to learn from the challenges and gaps, identify what works, and put measures in place to better protect itself for the future.
Respond with Confidence with Clairvoya
Even without preparation and a plan for incident response, it’s possible for an organization to take action and quickly gain visibility and command over the situation. A successful response approach will quickly assess the situation, identify the critical data, and establish a baseline, and then focus on what matters. Clairvoya’s software offers speed to insight and the ability to target files and systems so that a breach can be rapidly contained and confidence restored for a secure future;
Stay tuned for the last part of this blog series, which will focus on how to build on the lessons learned from an incident to solidify an information security position going forward.