Incident Responders take a lot of pride in finding that ‘Needle in the Haystack’ when conducting data breach investigations. The thrill of forensics lies in finding the tiniest clue that unravels the story of how a breach occurred and what exactly was compromised as a result. But the reality is that during forensic investigations, there is not always a needle in the haystack of evidence that we comb through, and the impact can be huge.
If we don’t know what caused a breach, then we are left guessing about how to prevent it from recurring. But even worse, if we don’t have evidence of how much data left an organization – if there is no “needle” that lets us see what data moved through the pipes – then we may have to report a total exposure of all potentially exposed records.
The bottom line is that many organizations we have assisted as incident responders have not aligned their incident response plans with their monitoring and event log management. How does that happen even in organizations which have sound incident response plans and technologies deployed for incident response readiness?
After going through several post-investigation interviews with clients, we have discovered that there are three common themes in the exposed negligence:
- Budget for optimizing technology
- Willingness of internal Security teams to go the extra mile
- Expertise of Security teams on current threats and breach trends
When companies can spend $150,000 purchasing a technology, they can also spend $10,000 on optimizing the technology. This usually means that the vendor or a professional services organization thinks through what can go right with the new technology as well as what can go wrong i.e. how it can be exploited. Subsequently, they make sure that the new technology is creating logs that show evidence of both. Many organizations measure the success of a project simply on the deployment. A small investment on optimizing the technology and training the staff can increase your chances of planting those needles in your haystacks.
A big factor of failure in optimizing the technology is the willingness and motivation of internal technology teams. IT teams are usually over-worked employees who are also tasked with after-hours projects, especially for technology deployment and operational/security incidents. We are not advocating memorizing the whole product manual of all technologies, but the IT teams must understand how security threats leave evidence of their attacks on each type of technology. A risk assessment or penetration test is a quick way to gain this knowledge, but an IT staff that is interested in the secure function of their technologies – and not just their operational functionality – will establish the technical environment that creates the evidence you will need during forensic investigations. The million dollars’ worth of equipment in a data center is of no use if it’s not solving the business problem of security.
One of the most important controls in security is understanding an organization’s data flows and business requirements. All other controls come later. If the security team does not understand what access is required for business and what is not, they will not be able to harden the systems and the network effectively. Likewise, if the security team does not understand what the current threats and breach trends are, they cannot protect the organization effectively.
The remedy for these problems is for the business to ensure that there is a sound process for technology deployments which is aligned with business goals. There has to be a process to measure the success of products and its implementation. The incident response process should incorporate all interested parties. The security teams should have the opportunity to attend applicable product trainings so that they understand all the features and would then be able to customize solutions specific to organizational requirements. Finally, it is imperative that organizations invest in staying current on the threat and breach trends. Among other consulting services, it is time for organizations to invest in Security Engineering consulting from firms who respond to data breaches regularly so that they can assist with meaningful configuration of security technologies.
Do you find that budget, willingness and expertise are challenges your organization faces? Is one area more problematic than another? Are there other challenges we did not mention? Please feel free to share your thoughts in the comments section below.
Incident Response Hotline: 800-925-0559