Coping with the Inevitability of a Data Breach

Wednesday, October 13, 2010

Robb Reck


Modern business cannot succeed without modern technology.

Without a web presence, computer systems for sales, manufacturing, and distribution, and access to all the information that the web can offer, an organization simply cannot compete today.

That is the reality of the modern marketplace.

Cyber attacks are the other side of that reality. Our web presence provides an attack surface that anyone on the internet can exploit. Our computer systems provide targets which contain valuable information for attackers.

While our employees enjoy the free information on the web, they may also be picking up viruses, spyware and other malware that put our data at risk.

Data Breaches are Inevitable

The result is: data breaches are inevitable. Every organization will be the victim of an attack. More specifically, given enough time, an attack will succeed against our systems. So knowing that an attack will eventually successfully strike our organizations, what do we do?

First, we want to minimize the chances of an attack getting through our defenses. There are numerous ways we do that, and I don’t want to understate the importance of preventative defense mechanisms.

But even with the most advanced technologies in place, we will experience a data breach. That’s where detective technologies and effective incident response programs come in.

Consider an empty office building at night. It is protected with measures like fences, locks, and security guards. But while those safeguards may be able to stop the majority of criminals, there will be the select group that can penetrate them.

That’s why many buildings have an alarm system. That system is not meant to physically stop someone from breaking in, it’s meant to alert the owners so they can immediately put a response plan into motion.

As soon as that alarm is tripped those responsible for the building can put their response plan in place, including calling the police, and locking down the facility.

IT systems should be protected in the same way. We put up our wall to keep people out (firewalls, IPS’s, authentication mechanisms), but once an attacker gets in we need to be alerted and we need to know how to react to the incident.

Fortunately, we’ve got a very nice selection of detective systems to choose from these days.

Intrusion Detection Systems (IDS) sit on your network listening in to everything going on around it. The IDS listens in and when it finds something that looks like an attack it can send off a notification to the appropriate people with all the details they need to mitigate the attack.

Security Incident/Event Management (SIEM) systems correlate logs and network activity from across the network waiting for a combination of events that look like an attack. SIEMs are powerful tools that give insight to attacks across the entire infrastructure, rather than just one system. They can see a big picture from small pieces occurring all over the network.

Log Management tools collect event logs from disparate systems and hold them in one central location. By holding these logs off the device themselves, we ensure that an attacker cannot eliminate all the evidence of his behavior. Even if he turns off logging, that action should trip an alert on the log management tool, which should point responders to the compromised systems.

Getting the notification of the attack is only the first half of the solution. If an attacker gets in at 2am and our lovely SIEM sends an email to a Blackberry that won’t be checked until the morning, we’ve accomplished nothing.

That’s where an Incident Response Plan is essential.

What does your company do if there is an ongoing attack? The plan needs to be created ahead of time and known by those who will be implementing it.

There are many good resources for creating an incident response plan and I will not go into that in this space. But even the best incident response program will fail if you don’t:

  • Have people on call ready to handle incidents.
  • Ensure that all those who will handle incidents know the plan.

Yes, this seems obvious. But in many organizations the people who created the incident response plan are not the same people who will implement it.

As the organization changes and responders come and go, we must diligently on-board new people, and ensure they know how to handle a security incident.

Detective technologies provide a unique benefit. When properly implemented, they are more difficult to defeat than preventative technologies.

While an attacker will eventually figure out a way around your firewall, as soon as they do (and hopefully before they even have the chance to do any damage) a good SIEM can alert the NOC and send technicians rushing to respond.

In a perfect world we will keep attackers, both external and internal, from having the opportunity to exploit our systems. But the reality is that breaches do occur.

An attack that ends in a data breach is a huge black eye on the information security team.

But fast detection can turn that attack into a bragging point, where we can show how our notification systems stopped an attacker before he could extract any data.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
IDS breaches SIEM
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.