It's all about time; responding promptly to the threat of any cyber incident is the most important part of any response. However, according to a recent white paper (PDF) from security consultant Derek A. Smith: "Effective Incident Response Through User Activity Monitoring", organizations continue to make the same three potentially costly mistakes that could be costing them millions in lost business, tarnished reputation, and even lawsuits. These are:
- Pulling the plug. If an attacker gets past a company's established cybersecurity defenses, some might think shutting off the power will eliminate the risk of further data exfiltration or other harmful attacker activity. While that might stop the attacker’s current activity, it could put your organization in an even worse position because you could lose the valuable business data or even forensic information stored in the computer's volatile memory. As a result, shutting down the power may actually result in the attacker getting away completely.
- Losing log files. Computers log activity and data before, during, and after an identified security incident. All this can enable companies to identify those involved as well as the intent behind the incident. It can also help a user know what containment is necessary, and any technological or business ramifications that need to be solved. In addition, the logs can be key forensic evidence if the incident response results in criminal or civil prosecution. Don't lose them.
- Treating the incident lightly. Every security incident is a learning experience, no matter the cause (simple neglect, nefarious motives) or result. Review what went right and wrong. Use those lessons to improve your response the next time.
What to do Instead
First and foremost, there are technologies available that can give you a clear line of sight into the online and communications activity of your employees – and anyone else with access to your data (i.e. contractors). This type of monitoring technology will help you meet the following challenges:
Identify real incidents. Identifying the difference between an actual incident that demands a response and other possible threats that might just be innocent "noise" can be difficult, and most monitoring systems struggle with the process. As a result, it can often take months or even years before real incidents are discovered. The latest tools should be able to alert security as soon as any suspicious activity is detected so they can determine which needs a more thorough investigation.
Analyze all relevant incident data. In most cases, forensic investigation teams only have access to computer logs from firewalls or other technologies whose principle function is to mitigate outside attackers, not possible threats from within. These records have little (if any) information about events occurring after the responsible party or parties pass security. The most advanced monitoring tools let you search for multiple strings within specific activities or across all recorded logs. It should also let you analyze past events so the security team can identify significant things previously overlooked. For example, the team should be able to quickly and efficiently locate any specific communication activities that were not initially deemed necessary to generate an alert.
Identify WHAT was compromised. This is critical for determining the responsible person's motives – and putting a stop to them quickly. For example, all CEOs fear the breach of confidential customer data, a “reportable event.” Non-reportable events maybe even more damaging or costly to the organization, however. Consider the loss in sales that can happen when a company's strategic marketing plan is sent to a competitor or systems functionality is compromised. Think of how hackers spoof banks into transferring millions of dollars into their account. Your monitoring technology should be able to tell you what was compromised – and when.
Know the "who" and "why" to prevent future incidents. Knowing the "what" and "when" are important, but equally so are the "who" and "why." If malware is introduced to the system through an employee's computer, for example, security might initially treat it as a criminal attack. However, a thorough investigation may reveal a non-malicious intent – the employee may have been unaware that setting her phone by her computer allowed the phone to communicate with her work computer via an active Bluetooth connection. No malicious or criminal intent – and another example the security team can use to train employees on what they should avoid doing to help keep the company secure.
The data offered through advanced monitoring tools can help you respond as quickly as possible to most any incident. They can also help you prevent future events, especially those that might have an immediate, direct business impact.