Six Steps to Surviving Your First Breach

    You’ve come to terms with the truth of the world; eventually, you’re going to suffer a security breach. Maybe it won’t happen this month, or this year, but as the great sage Tyler Durden so incisively observed, getting breached doesn’t determine whether or not you have a good security program in place — but how you respond to one does.

    Once you accept that everything that can go wrong will do so at the worst possible time, there are things that can be done today to help rein in the trials of the future — things you can set in place to allow you to expect the unexpected.

    Disavow yourself of any notion that the work you do in network security is “protecting” the company’s assets. Your mission is to analyze how the network can be attacked, with the hope that you can control the battlefield elegantly enough to be able to respond to all attacks adequately. Network security is as much about technology as the game of chess is about little carved figures on a checkered board.

     So, thinking strategically, what can be done today and what can be put aside for later? In this slideshow, AlienVault discuss six key actions you can take today to prepare your organization and help you when your executive team is breathing down your neck for answers they wanted an hour ago.

    Six Steps to Surviving Your First Breach - slide 1

    Preparing for a Data Breach

    Click through for six steps you can take today to prepare your organization for the inevitable data breach you will eventually have to deal with, as identified by AlientVault.

    Six Steps to Surviving Your First Breach - slide 2

    Build Relationships

    Step 1: Build relationships outside of the IT department.

    If you like meeting new faces around the organization, a security breach provides ample opportunity to do so — at the worst possible time. A breach is going to involve personnel from a wide range of departments: legal, executive, and PR to name the obvious candidates. Having an established channel with these groups and an understanding of how your jobs will interact during a security breach can save a lot of rushed drafting of paperwork and tense meetings during a time of crisis.

    Six Steps to Surviving Your First Breach - slide 3

    Get Past ‘I Told You So’

    Step 2: Get the “I told you so” off your chest now.

    We have a notion in info security that the work we do is possibly the most important thing in the company; that without us, the whole organization would fall to its knees, raided by bandits. It’s time to accept some cold hard facts: There are much greater risks to a company’s operational capacity and profitability than a security breach. Remember, your job isn’t to guarantee this won’t happen but to mitigate the impact when it does.

    Six Steps to Surviving Your First Breach - slide 4

    Go Beyond Compliance

    Step 3: Comply with regulations, and then go further.

    This may be preaching to the choir — compliance is not security — but understand that a security control that isn’t monitored is worse than no control at all. An intrusion detection system (IDS) that doesn’t have someone actively administrating it and looking at the alerts is just another target for intruders to use against you (and one with significant access to all network traffic!).

    Just because you’re in an industry required to keep all log data for 90 days doesn’t mean you shouldn’t store logs for longer periods. After all, log management should be part of your security solution, and security breaches don’t happen in a matter of minutes — the initial signs of intrusion and its origin may show up in logs from months ago. When you need them, you’ll be glad you kept them.

    Six Steps to Surviving Your First Breach - slide 5


    Step 4: Give everybody the answers they need, not the answers they deserve.

    From end users to executives, the No. 1 priority during a breach is information — information that’s going to take time to acquire. Making clear decisions and acting on them is the top priority during breach discovery and remediation. Give your users clear, absolute answers on why you’re shutting down large portions of the network unannounced and then do it if that’s what’s necessary. While it’s critical to share information about the incident, it’s more critical to actually investigate it. Consider setting up some type of rapid response communication to stakeholders to avoid the inevitable time wasting one-off replies to “What’s the status?”

    Six Steps to Surviving Your First Breach - slide 6

    Keep a Clear Head and Stay Focused

    Step 5: “When you have eliminated the impossible, whatever remains, no matter how improbable, must be the truth.” – Sherlock Holmes

    The perpetrators of the crime you are investigating are just human beings — it’s unlikely they possess psychic powers, supernatural levels of intelligence, or the ability to time travel. During the investigation, you will encounter many “How did they do that?” moments. The simplest answer is usually correct. Keep a clear head and stay rational, this is not the time to take a trip down the rabbit hole. What you are trying to unravel in days, the intruder may have taken months to put together, but remember: You have the advantage of being able to work backwards to the beginning of it all.

    This is the time when those checklists of things to cross-examine during more mundane investigation tasks become invaluable. Between the forensics, remediation and information gathering, your sanity will be tested; however, nothing keeps your sanity like a good list of things to reference against to know you’ve left no stone unturned, no metaphor unexplored.

    Six Steps to Surviving Your First Breach - slide 7

    Practice Makes Perfect

    Step 6: Practice makes perfect.

    This one is obvious, but too often while organizations have a desire to run bench exercises in their security groups, it keeps getting postponed in favor of more pressing, real, work. It is essential that organizations prioritize these exercises, so that when a real breach occurs, there won’t be any hesitation or confusion over what should be done.

    Latest Articles