Back to Blog
![]() Preserve evidence in case the incident becomes a legal issue.GDPR, for example, can exact significant fines for failure to report an incident in a timely manner. This is especially critical for organizations bound by regulatory requirements. ![]() Determine whether you need to contact the authorities, including law enforcement and regulatory bodies.Because of the dwell time for most breaches, all critical data and logs will need to be saved off-line for a minimum of a year. This will also tell you whether regulatory requirements need to be addressed. You will also need to analyze any systems compromised with malicious software to determine its intent and to glean IOCs, logs, and transactions. Quickly determine what data and resources have been compromised or stolen and what critical business processes were affected.Once an incident has been detected, your incident response team needs to do the following: Where possible, NOC and SOC operations should be tightly integrated so that security systems have a better opportunity to evaluate network data in real-time to detect suspicious behavior. This requires integrated security tools and a centralized system for analyzing and correlating data. Not only do security tools and anomaly detection systems need to be in place, but they also need to be able to share information to detect events that would otherwise live under the radar. One of the biggest challenges organizations face is limited visibility across the distributed network. Organizations subject to regulatory requirements need to ensure that official processes for documenting and reporting a breach are included in your preparations and strategies. Most importantly, determine if any of your data falls under any kind of regulation. Of course, you can’t protect and monitor everything, so focus on what’s important. In addition, you will need to identify any critical business processes, and the assets that those processes ride over. To determine which technology will be needed, you also need to understand the kinds data you have in your environment and how it flows. Likewise, regular backups of data and systems need to be available and stored off-network, and routine system and data recovery drills need to occur so bringing systems back online can be a smooth and seamless process. Much of that equipment will need to reside off-network so that it isn't compromised in the case of a ransomware or similar attack. In addition to having the right technology in place to of course detect a breach, other equipment is needed to respond to an incident, and that needs to be identified beforehand. Each member of the team should not only know their roles and responsibilities, but also the authority they have to make decisions. Each of these individuals will have critical insights that need to be incorporated into any preparations.Ī chain of command across all team members will also need to be established so that incident responses can be carefully coordinated. This starts by identifying your incident response team, which should include not only technical team members and consultants, but also executives, the communications team, members of the legal team, law enforcement, and outside media consultants. Preparing for an incident will eliminate confusion and missteps when, in the heat of a response, things get overlooked and mistakes are made. Here are some high level points to keep in mind for any strategy planning. The National Institute of Standards and Technology has identified several critical steps for managing a cybersecurity event as part of the NIST Cybersecurity Incident Response Process, and this should be part of every organization’s cybersecurity strategy. Proper preparation, however, can cut costs significantly. And even then, it can take more than a month to conduct a thorough investigation and completely recover affected systems. As a result, not only do initial data breaches sometimes go undetected but the average dwell time of a breach – the time a compromise goes undetected while attackers scan your network and exfiltrate data – is now 209 days. Part of the challenge is that modern cyberattack strategies involve new techniques and technologies designed to evade detection. And more difficult to quantify is regaining lost consumer confidence and damage to an organization's brand, which can take months or years to repair. Extended downtime can quickly compound costs on an hour-by-hour basis. But recovering lost data is only part of the equation. According to the Ponemon Institute’s annual Cost of a Data Breach Report, the average total cost of a data breach is now $3.92 million, with an average of 25,575 records being stolen or compromised. A data breach can have a devastating effect on an organization.
0 Comments
Read More
Leave a Reply. |