To many security professionals, buying solutions to prevent a security attack is their strategy to keep hackers out of their networks. But, in today's world of cyberincidents where hackers are becoming increasingly sophisticated, that simply is not enough. Inevitably, a security breach will happen because hackers will find a way to bypass your security monitoring mechanisms completely undetected.
Look at TJX for example. Three years ago, its security team found that hackers had gained access to its network 18 months prior. Meaning, for 18 months, a hacker was completely undetected by the security prevention measures deployed by the company.
Effective security strategy
While most organizations implement security tools that target prevention, those same organizations fail to understand the full spectrum of security. Prevention is only one part of the equation. Detection and incident response are arguably more important.
- Prevention. We know prevention is not a 100 percent guarantee. Recent security breaches at Google, Adobe, The New York Times, T-Mobile, Heartland Payment Systems, LexisNexis, Visa, MasterCard, and even prominent security vendor Kaspersky provide proof that prevention is not an absolute.
What happens when a hacker is successful at breaking through your “secure” system?
- Detection. When a breach occurs, what happens next? That's where effective detection capabilities must take center stage. The ability to instantly address security incidents is a critical strategy organizations often neglect to implement, even though the cost of failure is so great.
- Network forensics / incident response. With a comprehensive incident response plan, you simply rewind the tape, like a surveillance camera at a bank that was just robbed. Network forensics provides organizations a rewind feature to quickly identify the true source and scope of any incident and even what happened to specific files, data, etc., so you can take immediate steps to rectify the situation. However, without the necessary network forensics tools and a plan, swift incident response is difficult to accomplish.
Three steps to preparedness
Typically, when a security breach is detected weeks, months or even years after the first incident occurred, the damage has been done. So, why do so many companies wait for a crisis? Forensic preparedness reduces the cost of response and helps determine exactly and instantly the data being compromised.
Preparedness might seem like an impossible task. How can we anticipate every threat out there? How does a company prepare for the unknown and unexpected? By addressing all three pillars of an effective security strategy – prevention, detection and incident response.
- Move past prevention. Since security professionals can only stop what they know, we must advance past the first pillar. The “unknown unknowns” will continue to roam in the wild and until they are identified and classified, prevention alone will not be sufficient. These threats will be targeting vulnerabilities we are not aware of. Just look at the vast number of recent security incidents, including Hannaford Bros., Network Solutions, American Express and many others. Eventually, vulnerabilities will be found and exploited and a breach will occur.
- Don't rely on compliance. Compliance is only a start, but regulations are really there just to provide a framework — and force adherence to — good security practices. For those who believe they will not be hacked because they are complaint with industry standards, think again. It can and does happen, just look at the Heartland breach. While Heartland was compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS), it still experienced the biggest breach ever involving payment card data. There are simply no guarantees when motivated attackers have an eye for your assets.
- Investigate, detect and fortify. Lastly, we must understand that securing our networks and data also includes swift detection of the source and scope of any security incident. This is critical to enable instant and intelligent response. Rapid detection of a breach is arguably more important than just trying to prevent one. This holistic perspective helps you know exactly what is going on within your networks. Then, when something questionable happens, immediate response to mitigate the incident provides more protection to your organization's bottom line and brand equity than with prevention alone.