Since threats are anything but static, there is always room for improvement in the cyber security realm. People can argue that the true pain caused by a security event is not the incident itself, but rather the fallout and continued damage from ineffective or insufficient detection, response and mitigation efforts – the core components of any properly prepared incident response plan. Incident response programs, and the security teams tasked with executing them, are designed to minimize impact of IT security incidents – hacks and data breaches.
Companies are being attacked. Sometimes they are targets of focus and sometimes they are targets of opportunity. Cyber criminals are actively working against enterprise infrastructure, applications, information and people. It is clear that the monetary and human investment in incident planning and preparedness falls short of what any CSO or CISO needs in order to effectively manage risk. According to the “2014 NTT Global Threat Intelligence Report,” in organizations Solutionary supported with incident response activities during 2013, more than 75 percent did not have an incident response plan.
That number would look far better if we accepted the typical two-page, hard-copy “procedures” document locked in the storage closet or the one page “checklist” taped to the side of a rack in the server room. Unfortunately, documents like that are simply not enough for when organizations experience a distributed denial-of-service (DDoS) attack, or when a customer calls and says that a bunch of their client information is out on Pastebin. Even organizations which develop a formal incident response plan and define their response procedures to help mitigate an incident are often not done. Most of those organizations have not fully tested their response plans or do not have budget defined for handling a significant cyber security incident and have to scramble to justify and request emergency funds, all while actually fighting the incident. As a result, attackers continue to exploit and compound the organizations' inability to respond and the cost to the company and its customers increases exponentially.
There is no doubt that incident response engagement requires different skills and processes, depending on the exact nature and extent, but the vast majority of breaches responded to in the last year involved systems being exposed to malware, DDoS attacks and data breach investigations. The point is that breaches happen. Breaches are now, unfortunately, part of doing business. Yet, most of the costs associated with responding to the incidents are due to missing or improperly functioning basic controls, inadequate planning and lack of formal training. The success of a response program is dependent on the proactive steps that precede any attack of any shape or size. Planning, budgeting and training during incident response planning can help minimize an organization's costs when an incident strikes your organization.
What can organizations do to better prepare?
Controlling your available vulnerabilities is important. One observation in the previously mentioned intelligence report suggests that organizations which performed quarterly external Payment Card Industry (PCI) Authorized Scanning Vendor assessments not only showed fewer vulnerabilities, but they were 35 percent faster to remediate the ones they found than organizations without similar regulatory requirements. This demonstrates the incentive to be prepared for an incident – even if that is due to the threat of a fine.
But it is not quite that simple since not all vulnerabilities are equal. It is best to look at risks using a formal risk assessment methodology, such as looking at data derived from correlated log events or using security device or network management tools. With a proper risk assessment, your organization will have a detailed understanding of which risks pose the greatest threat to your most important assets, and therefore have the largest potential financial impact.
The next step is to understand the difference between acceptable risk during day-to-day business and acceptable risk while under attack. During normal business, a security control that could keep a handful of clients from accessing your systems may be deemed unacceptable; however, in the face of an ongoing attack your organization may look differently at the situation. The same rules do not always apply to both situations. What is intolerable during regular business operations may become the lesser of two evils and the difference between apologizing to some clients, and a formal, public breach disclosure.
The risk assessment process will help your organization decide where to invest its security budget. No one will claim a risk assessment is easy; it can be a humbling experience if conducted correctly, as it will truly illustrate your loss potential, based on quantitative and qualitative risk analysis and give great focus to where you should prepare for incidents that could impact your organization – before you have an incident.