Experienced a Breach? Here Are Four Tips for Incident Response

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.circleid.com/posts/20151230_experienced_a_breach_here_are_four_tips_for_incident_response/

The threat level has never been higher for organizations charged with
protecting valuable data. In fact, as recent headlines will attest, no
company or agency is completely immune to targeted attacks by persistent,
skilled adversaries. The unprecedented success of these attacks against
large and well-equipped organizations around the world has led many
security executives to question the efficacy of traditional layered
defenses as their primary protection against targeted attacks. At the same
time, many organizations have begun reviewing and revising their security
best practices in advance of suffering a debilitating cyber attack.

Answer the In/Out Question

What is the first thing you need to do after experiencing a data breach?
You must be able to determine if the attackers have left the building or
are still inside your system. This is critical because incident response
differs significantly depending on attacker location. If malicious actors
have come and gone, taking valuable data with them, companies can proceed
with forensic analysis to determine both the scope of the attack and assess
endpoint vulnerabilities.

If hackers are still in your system, however, these long-term questions
need to be put on hold in favor of quarantine and containment — turning
your top priority to ensuring that attackers are unable to cause any more
harm or steal any more data. This often puts CISOs and CSOs at odds with
other C-suite executives, but it's critical to stay the course. Trying to
get back to "business as usual" while adversaries are still lurking in your
system will only lead to additional long-term damage.

Stay Running

As noted by Inside Counsel, it's tempting to try to protect your network by
shutting down the systems and hoping that attackers will simply vacate the
premises. The problem? This could destroy valuable data or limit the
ability of investigators to determine the cause of your breach. Taking this
approach creates a scenario where systems come back online and they look
clean but attackers are still lurking inside — but without any evidence of
that fact, incident responders start response and remediation procedures.
Hidden cybercriminals, meanwhile, are now privy to your security procedures
and have full access to newly rebooted systems. While limited shutdowns may
be necessary, it's better to stay running if possible.

Call The Pros

Before an attack happens, it's important to create an on-the-ground
response team that is prepared to take action if and when a breach occurs.
This offers two important benefits: First, there's no confusion about who's
on call to handle the after-effects of a breach and therefore no delay
between first detection and response. Second, selecting an incident
response team in advance lets you hand-pick experts with the right mix of
experience and out-of-the-box security thinking to give you the dual
benefits of incident response and proactive measures on how to avoid
similar breaches.

Go The Distance

Last but not least? It's critical to have a plan in place to notify
affected stakeholders, and make sure it's adaptable. For this step, it's
important to determine the "harm threshold" required by state, federal and
other regulatory bodies that require you to notify affected parties. In
addition, notification must be tailored to the nature of the breach.
Financial data loss may only require credit score and purchase monitoring,
while the theft of health care data could require ongoing assistance.

Interested in better incident response handling and proactive measures?
Understand that no defense is impenetrable and then take steps before a
breach occurs to better protect and defend your network should an incident
occur.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!