These days, cyber crime is a lucrative business, and cyber criminals take their time to investigate their potential target before they go in for the steal to make the cyber attack as profitable as possible and to minimise the risk of getting caught. They look for weak spots in the corporate network and defences which they can exploit and really do their homework before they attack.
In most cases, organisations may not even realise that they have been attacked, and it could be months before they realise and remediate the breach. In fact, according to recent research, 71% of victims did not detect a breach themselves and it was identified by third parties, and worse still, the median number of days from the date of the initial intrusion to the date of detection was 87, meaning that half of compromise victims became aware of a breach within approximately three months of the initial intrusion. The damage that can be done over three months is just unfathomable. (Source: Trustwave Global Security Report 2014)
So in order for organisations to stay one step ahead of attackers, who have the advantage of time on their side, it is crucial to adopt strategies to identify weak spots and take proactive measures to understand their network better than their attackers.
Do you know where your data is?
A number of high profile data breaches made headlines recently, such as at Talk Talk’s supplier and the compromise of POS system supplier Nextep, highlighting the fact that cyber criminals are after organisation’s data. The organisation’s “crown jewels” could be their Intellectual Property, client or Personally Identifiable Information data or financially sensitive information, and it is therefore imperative that the organisation and the IT team / CIO not only fully understand where that data is, but also who has access to it. Only then will they be able to fully understand how to protect it accordingly.
Practise makes perfect
Not all security events are equal, and so organisations need to classify different types of incidents so that the response that is activated, is in line with its scope and severity.
For example, an attack that occurs as a result of malware planted in the corporate network requires an extremely different approach to one in which an employee has exfiltrated confidential corporate data. Of course, in both cases, the organisation would need to investigate the actual exposure of the attack. However, if the risk is determined to be relatively low, the relative response may be to close the loophole and remediate the specific issue. On the other hand, in higher risk situations where employees or customers may be involved, the response team and the response would be completely different and the organisation may experience financial loss or reputational damage.
Unfortunately, this is an area where many organisations struggle. It means that they may not be able to respond to that specific incident within the appropriate time frame, or that a team may not be drilled in the correct procedure to follow.
Security Alerts – Stay one step ahead
Although there are many tools and technologies readily available today to help organisations detect data breaches, it is important that organisations become proactive in their understanding to determine their capabilities of handling the vast amount of security alerts, as even the best perimeter defences only tell half the story.
On any given day, there will be countless security alerts coming in from the firewalls, intrusion detectors, DLP tools and other systems – however, these mainly arrive once the damage has been done. Worryingly, in many cases, the real security risks, worthy of further investigation, may get lost in the mountains of incoming security alerts and the organisation will continue to be in the dark about the breach. This can be exacerbated by the fact the once a risk is identified, the team may not have the ability to view the status of the various end points.
Conclusion
By understanding the corporate environment, and having an active view of the “crown jewels”, organisations will spot behavioural changes within their environment and identify an acceptable “baseline” if any changes occur.
Once these processes are well managed, organisations can correctly categorize the various security alerts, qualify them, and understand how to respond appropriately.
By Nick Pollard, Senior Director, Professional Services EMEA & APAC at Guidance Software
About Guidance Software
Founded in 1997, Guidance Software is recognized globally as the world leader in e-discovery and other digital investigations.Our EnCase® software solutions provide the foundation for corporate government and law enforcement organizations to conduct thorough and effective computer investigations of any kind, including intellectual property theft, incident response, compliance auditing and responding to e-discovery requests-all while maintaining the forensic integrity of the data. We also offer customized services in e-discovery, incident response, computer forensics, evidence presentation and trial testimony, using a team of former law enforcement professionals, e-discovery and litigation support experts, information assurance specialists and project managers who have front-line, hands-on experience in all areas of digital investigations. Guidance Software trains more than 6,000 corporate, law enforcement and government professionals annually in the areas of computer forensics, enterprise forensics, e-discovery, and computer incident response. Courses and materials are offered in a variety of languages in Guidance Software facilities worldwide, through partners and online. Our customers are corporations and government agencies in a wide variety of industries, such as financial and insurance, technology, defense, energy, pharmaceutical, manufacturing and retail. There are more than 40,000 licenses of EnCase® technology worldwide. The EnCase Enterprise platform is used by more than half of the Fortune 100, including Allstate, Chevron, Ford, General Electric, Honeywell, Northrop Grumman, Pfizer, UnitedHealth Group and Viacom.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.