[BreachExchange] Learning to live left of breach

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jan 17 10:55:16 EST 2018


The cybersecurity industry tends to focus its attention on what to do after
a breach or a hack occurs. After all, this is the topic of discussion for
the media, or an organisations’ partners and customers. “What does the
victim do now?” But shouldn’t we at least be as interested, if not more so,
in what the organisation should be doing before a breach ever occurs? This
is how we’ve come up with the term, staying left of the breach – meaning
before it takes place.

It’s pretty much commonly agreed upon within the industry that data
breaches are inevitable. It won’t be long before the media outlets give us
another Equifax, Three, Deloitte or Wonga (to name but a few) – and
demonstrate the potential irreversible damage the breach may have on said

As the stories of these breaches emerge, we continue to see organisations
remaining right of breach for far too long; that is, in pure reactive mode.
Panicking and scrambling to collect information that may no longer exist –
often days, weeks, or even months after the breach occurred. So, what
exactly does this look like in practice?

Living right of breach

The first step to understanding the difference is learning what to expect
if you choose to remain right of breach…

A sense of panic and dread

It’s only natural upon learning that your organisation has been breached
that a sense of dread will begin to fall over any business leader.  There
is a correct way to react, but because you’re living “right of breach”, you
begin to panic and scramble for answers. What resources or assets have been
compromised? And, very often you can’t find the data you need to inform
legal counsel and senior executive decisions due to inadequate incident
preparation. Combine the lack of planning with a lack of experience and the
overwhelming requirement to report to compliance and regulatory bodies, and
the result is pandemonium.

The end result is that a breach becomes wildly expensive for any
organisation – not just in terms of litigation – but in terms of brand
reputation, to which it can have a devastating effect for even the largest
of conglomerates.

Regulations and notifications

Depending on where your organisation is based, you will be held accountable
to any number of compliance requirements and regulation bodies. One such
regulation that centres around breach notification is the EU’s General Data
Protection Regulation (GDPR). Organisations whose business operations are
predominately based within the European Union (EU) have had no choice but
to pay attention to the regulation once it comes into effect in May of
2018. After all, if they choose to ignore it, they could face significant
fines for noncompliance. These fines are the greater of €20 million or 4%
of the organisation’s global gross revenue. The time and money spent having
to comply is surely the preferable option for organisations operating
within the EU.

To the left, to the left

Now that we understand a little more about the costs of being breached,
let’s turn our attention to the benefits of staying in that ideal left of
breach posture, and some ways to remain there.

Plan for the worst, hope for the best

If you plan for incidents to occur, if you run your organisation “left of
breach”, you can budget for the costs of planning and implementing your
security strategy. Yes, there are one-time start-up costs and annual upkeep
or maintenance costs, but all of these will become part of budget planning,
and hence, the annual financial planning process.

By taking this approach, you can detect breaches much earlier in the threat
lifecycle, which removes a great deal of the costs resulting from a breach.
Through early detection and remediation, you avoid the costs of
notification and the legal fees for subsequent lawsuits.

More importantly, if you’re only responding to a breach many months after
the fact, it can very hard to say definitively what data was compromised.
Detecting and halting the breach before the attacker can access sensitive
data means you won’t have to deal with notification costs.

Why early detection is the way forward

When you build your infrastructure with visibility in mind, you naturally
learn a fair bit about what’s going on inside your virtual walls. You begin
seeing a great deal of the activity that’s occurring on your systems, both
long-running and short-lived processes. As you begin monitoring your
systems, even the most basic filters for process activity will illustrate
suspicious activity.

This sort of visibility, particularly when coupled with system hardening
and audit configuration, inherently leads you to understand and detect
suspicious activity, as well as outright breaches, much earlier in the
threat lifecycle. Rather than learning from an external third party that
you’ve been breached, you detect the breach before the attacker can access
sensitive data.  As such, you can then state definitively that sensitive
data was not accessed in your report to your compliance oversight body.

Endpoint visibility and monitoring tools allow organisations to detect the
presence of malicious actors much sooner within the breach cycle. This then
allows security teams to identify their entry point and respond with a
planned approach before they develop a foothold within the IT

Getting to the left of breach

Getting left of breach means configuring your systems appropriately for
your infrastructure and then utilise them for visibility.

When I say configuring your systems, ask yourself questions like:

- Why is our DNS or DHCP server running a web server and Terminal Services?
- Should both of those be accessible from the internet?
- Are our systems configured to provide only the necessary and defined
services, and are those systems and services patched appropriately?

The purpose of system configuration is to reduce your potential attack
surface, making it harder for cybercriminal to gain access to systems by
forcing them to change the methods they use to attack your organisation.

Enabling endpoint visibility and monitoring the information collected
allows your organisations to capture a complete record of an adversary’s
access to your network.  The appropriate application of threat intelligence
allows you to filter through the vast amount of “normal” activity within
your infrastructure that is indicative of day-to-day business, and alert on
activity associated with dedicated adversaries. This process then gives you
the ability to quickly filter through massive amounts of data to focus on
just those relevant activities. The same is true for insider threats as
well as a wide range of security issues.

It comes down to the saying “An ounce of prevention is worth a pound of
cure.” Of course, you can justify spending large sums of money and time by
waiting for a breach to occur. Once that happens, what choice do you have?
Isn’t it better to take the time, money, and energy to focus on staying
“left of breach”, rather than suffering from the enormous costs (financial,
legal, brand) associated with being “right of breach”? Chances are your
stakeholders and investors will thank you in the long run when your
organisation is breached.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180117/0088fc22/attachment.html>

More information about the BreachExchange mailing list