[BreachExchange] A Tale of Two Breaches
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Nov 28 18:51:43 EST 2017
https://www.infosecurity-magazine.com/opinions/tale-two-breaches/
Peter is having an extremely bad day. As Data Protection Officer (DPO) at a
large company, he’s just taken a frantic phone call from the CIO who has
informed him of a massive data breach. Details are still very sketchy, but
potentially thousands of customer records, including personal data (PD) and
payment card data has been compromised – and no-one knows what to do next.
The moment Peter puts down the phone, the clock starts ticking. Under the
provisions of the EU GDPR he knows that if the information loss is likely
to result in risk to individuals’ rights and freedoms, he has just 72 hours
to inform the data protection authorities.
Peter doesn’t just have to tell the authorities that the company has fallen
victim to a successful hack. The GDPR demands that he ideally compiles a
detailed report that covers the nature of the breach, details of who has
been affected and what kind of data has been compromised, how many records
have been affected, the likely consequences, and what measures are being
taken to mitigate the breach.
On top of that, he’ll have to inform affected users “without undue delay”
if the breach might put EU citizens at high risk, while informing the
general public (and press) about the attack and its implications to avoid
any potential speculation or rumor.
It’s a race against time, but even if Peter foregoes sleep over the next
three days, it’s a race he’s going to lose. That’s because the business has
neither the plans, processes, people or technology in place to crunch
through the thousands of systems and terabytes of data to establish the
cause and identify the scale of the breach.
Few DPOs can be unaware of the potential fines that could be imposed under
the GDPR, which amount to €20m or four per cent of annual turnover. These
penalties are not charged as punishment for suffering a breach, but rather
for failing to demonstrate that the organization has deployed
countermeasures appropriate to the risk; used state-of-the-art best
practices and tools.
What Peter doesn’t know is that the cost goes far beyond the fine itself.
The average total cost of a data breach is $3.62 million, comprising
detection and escalation, notification, post-breach response, and the
biggest single cost – lost reputation and business. One of the risks that
is difficult to predict is whether EU citizens can file compensation claims
if they have suffered damage as a result. The claims can only be rejected
by the organization if they can prove that it “is not in any way
responsible for the damage”.
Without the right tools, the organization can neither provide the necessary
information to the authorities, nor can it effectively investigate and
mitigate the breach; as a result, the cost of this breach will likely run
into the millions. Peter will have many more tough days in the weeks and
months ahead.
The competitor
Unknown to Peter, one of the company’s competitors across town has been hit
by exactly the same attack. Unlike them, however, their DPO, Barbara, has
planned for this eventuality. Consequently, she has the right systems and
procedures in place to spring straight into action the moment she gets the
call that marks the beginning of the 72 “golden hours”.
Under Barbara’s watch, her business has invested in robust breach
detection, investigation and internal reporting procedures. At the heart of
this system lies modern log file reporting tools that help determine
whether information has been accessed by unauthorized persons, whether the
breach is serious enough to report, what kind of data has been exposed and
for how long, and how many people have potentially been affected.
These tools use machine data which provides all historical information that
the business needs to demonstrate that they had appropriate security
controls in place, and that they worked proactively to mitigate the risk.
Whether it is changes to technical configurations (and who made them),
password resets or update history, machine data can be used to document all
of these within the short reporting window.
The difference
The crucial difference between these businesses is that one has the tools
to perform a deep dive into its digital infrastructure and analyze many
thousands of systems and terabytes of data. This enables the company to
determine and document where data was stored, processed and accessed
throughout their environment, and so stop the leakage.
Thanks to her suite of analytical tools, Barbara can quickly plough through
months of data from any number of systems to get a first estimate on which
customers or employees have been affected, how the attackers breached the
network and which vulnerability they exploited, what data was accessed, and
who processed or accessed information.
Machine data analytics can quickly tell you whether there is logon activity
associated with an employee who is out-of-office, raising a possible red
flag. It can also help mobile device management teams to identify when a
new device accesses a system or logs into a VPN, warning them of
compromised credentials that could help to prevent data exfiltration.
Integrating this capability into the organization’s security information
and event management (SIEM) enables Barbara to examine every application
and system that is involved in processing personal information.
Barbara’s company hasn’t just invested in technology, however. It has also
spent time putting the right training and processes in place to ensure that
it can effectively respond to a data breach. This includes training for
employees, establishing a cadre of “first-responders”, and ingraining the
incident response process within the organization’s culture.
These processes include guidelines for breach response and provisions for
co-ordination between DPO, IT team, communications department, legal and,
dependent on severity, the CEO and the board. This means that upon learning
about the breach, Barbara can appoint an appropriate incident commander,
and knows what actions she must take to stop the data leakage, whether it
is taking systems or users off-line, shunting access to certain
applications, or creating sink holes.
Thanks to Barbara’s effective preparations, her company is able to provide
a thorough report to the data protection authorities which demonstrates
unequivocally that the company employed the best possible safeguards
against attack and is taking the necessary steps to mitigate its impact.
Barbara is smart and well-prepared, but she didn’t manage all this on her
own. Understanding the complexities of GDPR and the current threat
landscape, she worked with her technology partners who helped her develop a
system that employs machine data to detect, prevent and investigate
breaches, while ensuring that GDPR security controls are enforced.
Barbara hasn’t had the best of days either. She knows, however, that she
has the technology, processes and training in place to demonstrate that
they have fully followed data protection best practices. As a result, the
company will not only avoid a massive fine under the GDPR, but will be able
to resolve the breach quickly and effectively, with the smallest possible
impact on its customers – or its reputation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171128/e552c20f/attachment.html>
More information about the BreachExchange
mailing list