Be prepared for the breach that’s headed your way

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.com/article/2875277/be-prepared-for-the-breach-that-s-headed-your-way.html

January 2015 is already winding down, but it’s not too late to think about
the lessons of 2014. For anyone in information security, 2014 was a year
marked by spectacular breaches. It ended with Sony Pictures Entertainment
getting its clock cleaned by hackers, quite possibly from North Korea.
Wouldn’t it be great if 2015 doesn’t include the same sort of clock
cleaning at your company?

Having run thousands of incident response operations over the years, I have
come to appreciate the value of visibility. I’m talking about meaningful
data collection, from the network layer up to the applications. I’m talking
about data that can help the computer security incident response team
(CSIRT) understand with a high degree of confidence what happened. You can
take steps to make sure that your CSIRT will have that kind of data, well
organized, so they’re not lost in a sea of meaningless data or grasping for
clues with no data at all. If you do nothing to improve visibility, your
CSIRT might be able to draw some basic conclusions about an incident, but
chances are they won’t be able to tell executive decision-makers what they
really want to know: precisely what happened in an incident and the extent
of the business impact.

So my suggestion for 2015 is to increase your ability to see an incident.
Make it a goal to be able to accurately and rapidly establish your
situational awareness during and after an incident. Good situational
awareness is vital to your executive team as it sets out to make the
difficult business decisions in the wake of an incident.

First, take stock of what you already have in place for visibility. Take a
critical look at your event logging, data analysis, data retention, etc.
Start at the network level, and ensure that you can see into all of your
mission-critical networks. Then move on to other networks, such as those
for connecting desktops and mobile devices. Do an inventory and establish a
clear picture in your mind of how well the data you’re already collecting
will help you reconstruct the events around an incident. You need to know
what your current abilities will do for you situational awareness.

Next, you should move up to your servers: application servers, departmental
servers, etc. Do another inventory and determine what logging is in place
and how it relates to and correlates with the network-level data. Figure
out how well that data will help you determine the business impact of an
incident. Even though server logs can probably shed only a small amount of
light, you still need to know just what information they contain and how
best you can leverage that information during an incident.

Finally, you need to assess your business applications. Whether they are
internal business applications or customer-facing ones, you need to know
what logging is taking place and how it can be used to tell the story of an
incident.

When you’ve taken stock, it’s likely that you’ll see that your logging
layers provide different perspectives on incidents. More importantly,
there’s a good chance that the logs aren’t even stored in the same place
and that they are viewed by different teams in your network operations and
security operations centers.

And now that you know what you have and where it goes and who sees it, you
have to figure out how you can use those multiple perspectives to build a
single view of an incident. There are products that promise to help you
with that, but the principle of “garbage in, garbage out”always applies.
The tools are only as good as the data they receive.

The important thing is to make sure that, should you be hit by an incident,
you will have the situational awareness that your executives need. For
them, whether something happened at the network level or the application
level is immaterial. They just want to know the business impact. They want
a damage assessment and a course of action.

So in 2015, that’s what you should be prepared to give them. To get there,
take a critical look at your visibility and make an action list on how you
can improve things. Imagine various event scenarios and determine just what
sort of data you’d likely find and how useful that data will be in telling
the executive team what they need to know.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!