[BreachExchange] How accepting that your network will get hacked will help you develop a plan to recover faster

[Destry Winant]

https://www.helpnetsecurity.com/2019/01/28/accepting-that-your-network-will-get-hacked/

As anyone in the network security world will tell you, it is an
extremely intense and stressful job to protect the corporate network
from ever-evolving security threats. For a security team, a 99 percent
success rate is still a complete failure. That one time a hacker,
piece of malware, or DDoS attack brings down your organization’s
network (or network availability) is all that matters.

It’s even more frustrating when you consider that the proverbial ‘bad
guy’ sitting in the basement of his mother’s house can spend less than
$1,000 USD on a computer and malware and bring down a network that you
have spent millions of dollars on state-of-the-art equipment to
protect.

So, what’s the answer? It comes down to two things – prevention and
acceptance. Security teams must continue to prevent security attacks
while also accepting the reality that the network will eventually get
breached. This doesn’t mean accepting the role of victim. Network
security resilience as a concept is focused on this endeavor. It asks
the question, once an attack has been successful, how can you make
your network more resilient to limit the damage that a bad actor or
malware can do in the future?

Successful implementation of network security resilience relies upon
making a fundamental shift in both security strategy and mindset.
Organizations cannot expect to see the benefits if they don’t embrace
change. However, change is easier said than done. It seems like many
security engineers, architects and CIOs are caught up in a philosophy
that is primarily focused on prevention. So how can you start the
shift towards resilience? There are three simple tenets that must be
embraced. They are as follows:

- Accept the Network Security Resilience concept
- Accept the belief that you can make real changes
- Commit to making the change.

First, security teams need to accept that it is not a question of if,
but when your network will be breached. While prevention should always
be a key security architecture goal, a resilient strategy focuses on
recognizing the breach, investigating the breach, and then remediating
the damage as quickly as possible. While the concept is straight
forward, it can feel like there is an “arms race” that requires you to
spend all of your security budget to continually upgrade defenses.
This threat is real, but teams also need to set aside some budget for
security resilience.

If budget is truly a problem, it may be that you can put together a
plan to convince your Chief Information Officer (CIO) or Chief
Information Security Officer (CISO), that the security risk is real to
your company’s personally identifiable information (PII) and that you
need some extra budget to remediate the risk.

The average amount of time it takes to identify a data breach is 197
days, according to a 2018 study conducted by Ponemon Institute. A
second data point reveals that over half of victimized companies never
discover the breach themselves—they are informed by law enforcement,
business partners, customers, or someone else (according to a 2018
Trustwave report). Meanwhile, 87 percent of breaches occur in just
minutes, a 2018 Verizon DBIR found, meaning that finding and
responding to breaches quickly is imperative. So, a rapid response can
have an effect and limit the exfiltration of some, or maybe even all,
personally identifiable data. Limiting this data exfiltration is what
will limit the cost of a breach because it limits the company’s
liability – no data loss means no fines and no public reporting of the
incident.

The second step toward network security resilience is to overcome any
pessimism in order to make positive change in this area. Some people
get caught up in the mindset that there is nothing they can do that
will be effective, so why waste the time. This mindset is often
cleared up once a breach happens, PII is stolen, the company is
faulted for their lack of prevention techniques, fines are then
assessed by government agencies (like the FTC and HHS departments in
the United States), and lawsuits are filed against the company.
Unfortunately, a mindset change at this point is too late.

The implementation of changes to the network that can increase
resiliency is definitely possible. If the average length of time from
intrusion to detection is 197 days, then there are definitely some
“low hanging fruit” improvements that can be made to reduce that
amount of time.

The third thing that organizations must do is to act on the change.
There are always new tools to implement, but you need to make a
“planned” start. The reason I say planned is that while there are
several things security teams can do, they need to follow through on
the new processes. Some activities require less effort than others, if
implemented correctly.

For instance, application intelligence with geolocation can be used to
expose indicators of compromise. Consider the example that there is
someone in Eastern Europe accessing your FTP server in Dallas and
transferring data back to the Eastern Europe location. If you have no
authorized users in that geographic area, there is a good chance that
your network has been compromised and you should act on that
immediately. However, you need the setup and inspection of that data
to be easy in the first place. This typically requires some sort of
dashboard that can quickly and easily expose the relevant
information—no log file inspections, no physical correlation of data
points on your points, etc. Any manual activities like that will
slowly kill the use of any resilient tactics, unless you have the
staff for this kind of activity.

Another simple tactic is the use of a threat intelligence gateway that
blocks the exfiltration of data to known bad IP addresses. The trick
here is that you need a gateway that has constant updates that are
easy to load. This gives you a formidable defense that does not
consume an exorbitant amount of your time.

When you put these facts together, you have a solid approach. Invest
in the right set of capabilities that let you know that you have, in
fact, been breached and implement those capabilities so that you know
in a reasonable amount of time. Six months is not reasonable and even
one month is probably too long. At the same time, you do not have to
know within seconds or minutes (although that would be very nice). You
pick that interval.

Network security resilience is a concept focused solely on this
endeavor. It is all about trying to minimize corporate risk and the
cost of a breach. The intent is to create a solution that identifies
indicators of compromise and gives you actionable information to get
the network back up and running (after a breach has occurred) as fast
as possible.

Unfortunately, security teams will never achieve full peace of mind.
There will always be new hackers, new malware and new security threats
to a network. But by adopting a strategy focused on network security
resilience, you’ll be taking an approach that will help to limit the
damage of a breach and learn from it in the future.