Assume you are breached right this minute. Are you prepared to respond?
1. Develop a Breach Response Plan– A Breach Response Plan should be integrated into your organization’s business continuity program. It should be part of your overall incident response plan and designated by incident type. Breach events can have a direct impact on the business’ ability to function. Consider the impact of ransomware or the Sony breach that took over 50% of the environment offline for an extended period of time: “It took just one hour to throw Sony Pictures back into the era of the Betamax. The studio was reduced to using fax machines, communicating through posted messages, and paying its 7,000 employees with paper checks.” – Fortune, “Inside the Hack of the Century”
2. Communication and Third Party Dependency – When a breach occurs, you need to know who to contact, including any outside organizations you will depend on to process the incident, such as legal counsel (internal and external), regulatory agencies, vendors, trading partners, and outside forensics and security consultants (if required).
3. Defense in Depth – While the notion that the “network perimeter is dead” has validity, basic security principles are still required. Ensure good policies and processes exist around vulnerability management, institute strong role-based access controls, and segment your critical systems and data to greatly reduce your organization’s risk and become a more difficult target.
4. Risk Management – By identifying where your critical data and systems are located and how they are used by the business, along with the corresponding threats, you can better determine where and how to deploy controls. Use these controls, such as encryption, multi-factor authentication, network access control, and segmentation, in a targeted manner rather than large-scale, organization-wide deployments.
5. Visibility – You can’t protect something you don’t know exists. Many organizations, large and small, have poor real-time visibility into their systems, applications, and users. Processes and tools that give you this visibility allow you to plan and react more effectively when a breach occurs.
6. Data Protection – Are you confident in your organization’s backup and recovery capabilities? Ransomware has proven that backups are a security control that must be properly maintained.
7. Privileged Access – Nearly every breach leverages privileged access at some point. The recent PCI DSS v3.2 update and a 2016 FBI cybersecurity update identify this as a top consideration to protect your organization.
8. Use a Realistic Approach to Detective Controls – Breach activity has shifted the focus to detective controls that help monitor and identify breach activity so you can respond and eradicate more quickly. These controls can provide tremendous value, but ensure your organization follows a realistic approach based on your resources and processes. Overwhelming information and a lack of procedures to process the data can make these tools ineffective, which happened with the Target breach. Build and test the operational processes around these tools to ensure they provide true detection and response benefits; consider outsourcing security monitoring functions where you do not have coverage for specific times, such as afterhours.
9. Regular Control Testing and Validation – As with any other type of maintenance, test your processes and controls periodically to identify gaps and verify effectiveness. Every environment is in a constant state of change, and this verification process enables necessary adjustments and proper focus.
10. Include the Business – Leadership needs to understand the current state of your breach strategy, the current state of preparedness, and how a breach can directly impact the business. Does the business truly understand the financial impact to the organization? How would a breach impact customer or partner contracts and compliance requirements, including any associated financial impacts? These are conversations you want to have before a breach occurs.