BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Establishing The New Normal After A Breach

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 26 Sep 2013 23:52:09 -0600
http://www.darkreading.com/attacks-breaches/establishing-the-new-normal-after-a-brea/240161897

As embarrassing and costly as a big data breach may be for an organization,
many security professionals will tell you that this kind of incident may be
good news in the long run for the risk posture of the business. Sometimes
even after numerous warnings from security and risk advisors, the only way
for senior managers to sit up and pay attention to a set of risks is to
have an incident from that risk detailed blow by blow in the business press.

"Once an organization has gone through all that pain, they're forever
changed," says Lucas Zaichkowsky, an enterprise defense architect at
AccessData. "Your whole outlook changes."

For all of the problems that breaches bring, they also present a learning
opportunity and potential for developing better processes that improve the
day-to-day effectiveness of IT security. But that growth can only occur if
organizations spend the time to do a thorough analysis of the event to find
the fundamental risk factors that contributed to a compromise.

"If you haven't taken the time to figure out what's wrong in your program
or your technology, then it's pretty natural that it's going to happen
again," says Vinnie Liu, managing partner for security consulting firm
Bishop Fox.

Unfortunately, some organizations today tend to engage in a type of
whack-a-mole brand of incident response, responding to breaches and malware
outbreaks only by cleaning up systems affected by the incidents but never
delving into root causes, says James Phillippe, leader of threat and
vulnerability services for the U.S. at Ernst & Young. Meanwhile, he says,
"the root cause--weak network controls, poor user education, weak policies,
or perhaps improper architecture configurations--will persist."

On the other end of the spectrum, many organizations recognize that they
can't simply clean up systems after a breach and carry on as before but
because they react quickly without analyzing why things went wrong they end
up wasting a lot of money. And then they still end up breached again.

"I think a lot of recidivism stems from the knee-jerk reactions," Liu says.
"You see something wrong, you buy a bunch of tools, you drop them in place,
and you think you're safe."

This is why leveraging an breach for more executive buy-in, budget and
meaningful change requires you use that event "in a balanced manner, not in
a panic attack," says Robert Stroud, international vice president of ISACA.

Once a thorough post-mortem is done, he recommends either using an existing
risk model or developing a new one and running the operational and
financial impacts of the breach outcome through that model to understand
how that changes risk calculations. From there, an organization can more
clearly understand if they only need to change a few controls, or if they
need to make a major overhaul in security processes.

"More often than not, we see organizations go, 'Hey, we've got to do
something about that, let's just do it,' and they start executing
immediately," Stroud says. "Organizations will go without any assessment,
spend significant money on potential vulnerability without any
understanding of the business impact or risk exposure, potentially costing
their business significant money. It might be more money than the risk
itself."

As the experts have explained, establishing the new normal following a
breach is going to take post-mortem analysis and it's also going to require
changing risk models. But more significantly, it is going to involved
sustained investment. The cost of upping the security game is easy to
overlook amid all of the more picayune line-items of breach response, but
process improvement should be part of the overall response budget once a
breach has come to light.

"People talk about overlooking the cost of credit monitoring, reporting,
fees and things like that," Liu says. "But from what we've seen, I think
some of the biggest investments that have to be made over the long term
following a breach is for changing process."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: