If lucky, you'll find the broken window, a brick on the floor and a reasonable trail leading to the compromised data. But depending on monitoring hardware, you may have little or no idea what stock was stolen because your shelves are virtual. Log files are useful to a point, but they will never offer the whole story. To manage the damage, there has to be 100 percent certainty of what was stolen, and you have to find out quickly. The media-consuming public wants answers immediately, and they are not a particularly patient bunch. The vacuum of public knowledge will be filled with answers to very specific questions from the media: How many records were stolen? How sensitive were they? How long has it been going on? If you wait to fill in the blanks, the tweeting public will pontificate at will, essentially taking away your role in shaping the organization's message. Rather, seeing where the breach occurred and what areas were affected will put your organization in position to offer the truth, as opposed to allowing the seeds of rumors to be planted.
“The effort an organization puts into preventing a breach should be equaled by the effort it puts into knowing what happened after a breach has occurred.”
– Tim Nichols, vice president global marketing, Endace
Network visibility is the key
For all the arguments made for state-of-the-art network security – and it goes without saying, that these arguments are completely valid – what may be the barrier between a temporarily embarrassing situation and a reputation-crushing mishandling is network visibility. Yes, you were breached. It happens. In 2011, well-known entities such as Zappos, Epsilon and RSA were each victims of attacks. In Q1 of 2012, Nortel, NASDAQ and the Vatican fell victim. There is a lot less shame in being breached these days, but not knowing what has been breached is the precursor to the kind of media coverage that can sabotage all of your best efforts. Knowing exactly what is going on inside the network in real time is more important than ever.
Network-recording solutions have historically had a bad rap: “Unreliable” and “expensive” are criticisms that have been leveled, but the case for pervasive, full-packet capture is changing as fast as the technology that enables it. The technology reshaping that opinion could very well be your PR department's best friend. As networks expand to 10G, it is becoming more and more difficult to just “pop open the hood” and pinpoint exactly where network anomalies lie. Couple this truth with the fact that networks will soon expand to 40G and 100G, and you have a situation that has cyber criminals, hacktivists and others licking their proverbial chops. Expanding networks, with more data and less visibility is the perfect storm for a breach.
Organizations on the front foot are responding by investing in a wide range of IT tools to stop network intruders from getting inside in the first place, but they have also come to the conclusion that those investments will fall victim to an unwelcomed visitor at some point. Furthermore, they are considering the kinds of solutions that not only address speeds of today, but the speeds that will no doubt be integrated into the landscape of tomorrow's networks.
They won't wait long for an answer
The real-time coverage provided by blogs and online news sources, coupled with the instant and expansive sharing of those stories by social media sites have drastically shrunk news cycles to hours and expanded the reach of that information globally. For organizations facing the crisis of a data breach, minimizing the footprint of damage requires knowing the exact status and relaying that information expediently. So, if you subscribe to the view that you're already breached – and the smart money says that you should – what's your answer going to be when Wolf Blitzer asks, "What did you lose?” If your answer is, “We don't know,” then maybe it's time that you reconsider how you are monitoring and recording your network data. And hope the story gets buried.