Home >> Insights  >>

5 Steps To Enable You To Stare Back In The Face Of A Breech

by Phil Quade, CISO, Fortinet March-2018

It's been famously said that there are only two types of companies: those who know they have been breached, and those who don't know it yet.

Here is what you're up against (not good odds):

* Those who hack for sport: Don't bet that you're smarter than everyone else, that your design, implementation and configuration are error-free. Hackers take that as a personal challenge to prove you wrong.

* The APT: A determined nation state-like organization with time and resources available.

* Equipment failures: Strong security measures that stop working correctly during unusual conditions (e.g., power failures or hardware failures).

* Insider threat: Imposters working for someone else, bitter personnel on their way out or "activist" employees.

* Criminal elements: Those motivated by the almighty dollar, at your expense.

* Accidental compromises: Due to the fallibility of the humans who use and operate the network. 

"How can you be so sure?" is the question I sometimes get when speaking on this topic. But decades of experience breaking other peoples' toys, helping to protect our own and looking at my own broken toy parts have taught me otherwise. Their question is actually an attempt for reassurance in a time of intensifying security uncertainty. It is a Hail Mary pass in hopes that never-ending reports about security breaches aren't guaranteed to decimate their data, exploit their users' personal information, steal what is proprietary and confidential, and leak sensitive secrets.

I would prefer the question inspired would be the far more consequential, What should we do given that inevitability?

Segmentation and Recovery

An organization that has implemented the fundamentals of segmentation to mitigate the extent of an attack's damage will find that they have also reaped an additional benefit: a much more efficient recovery. 

It's a truism that counter-breach strategy starts and ends with segmentation. You use it to prevent compromise to begin with, you use it to restrict the scope of compromise when you are indeed breached, and you use it to reconstitute to a fully operational state post-breach.

That's because access segmentation is essential to the more advanced cyber security protocols of failure recovery, visibility and inspection. So not only will implementing fundamentals prevent threat actors from stealing or destroying their most valuable assets - they also create a network that can safely return to normal operations with far less cost, loss, disruption and downtime.
Simply put, no matter how sophisticated its execution, "clean up on aisle 9" is not a very strong or satisfying cybersecurity posture. And it is definitely not an effective one. 

5 Steps for Dealing with a Breach

Even the most innocuous threat actors (a term as oxymoronic as it is Orwellian)- those more motivated by the desire to wreak havoc for havoc's sake rather than for state-sponsored terrorism or industrial espionage- can leave a dumpster fire where your competitive advantage used to reside.

Here are the five crawl-walk-run things you should do in the face of inevitable breaches:

1. Create an organizational Incident Response Plan, and Exercise it - An IRP plots different scenarios and provides a playbook to follow when a breach occurs. Each breach is different, and there is not cookie-cutter approach, but speaking euphemistically, you don't want to have to learn to fly the plane or fix the engines in a time of crisis.

2. Execute the Security Doctrine of Macro and Micro Segmentation - Give access to systems and data to those who need it, but no one else. Whoever first said, "Don't put all your eggs in one basket" was a cybersecurity visionary. Better yet, practice agile segmentation, a strategy enabled by cutting-edge firewall products, which grants and retracts according to the need in real time. It's not only better for security, but it actually increases business productivity by enabling great collaboration without fear.

3. Regenerate from a Known Secure State - Post-breach, you still need to be able to regenerate to a known secure state. If you are waiting for an attack to serve as a wakeup call, it will be extraordinarily difficult to recover from it (especially from an APT, whose middle name is "persistent"). To confidently recover from a breach, ensure you have a pristine version of your operating systems and configurations for your security architecture. This is the "gold copy" of your security system that is stored securely offline. From that secure beach head, you can get your other operating systems and applications up and running.

4. Measure and Adapt to Changes In Your Resiliency Risk - Agile segmentation, team-oriented cybersecurity strategy over a security fabric and the cloud have made the security concept of auto-resiliency a reality. Today, in the IT world, we measure the reliability of our networks ("How many .9s of reliability do I have?") and make adjustments. We need to steal a page from that playbook and score (measure) the quality of our resiliency posture in real time. A resiliency score will allow you to stay "left of boom" (take actions before a bad thing happens) by, say, clamping down on segmentation, isolating and auditing a suspicious access point, blocking an application's access to the data center, or spinning up new capacity in the cloud.

5. Auto-Regeneration - For the inevitable time when you find yourself "right of boom" (i.e., you were breached), use centrally orchestrated micro and macro segmentation to effectively navigate an attack's aftermath to regenerate, via orchestration, to a known secure point, to return to normal operations quickly and automatically. Since the goal of any threat actor or adversary is persistence-
their efforts are meaningless if simply shutting down a system will stop them- they go to great lengths to ensure that they will still be able to maintain the compromise even after a system has been reconstituted. Auto regeneration, from a known pure platform, has the potential to turn weeks of down time into minutes. 

In a digitally driven and increasingly hyper-connected global business landscape, the potential to reach, engage, influence and inform your most critical audiences, stakeholders, strategic partners, customers and collaborators is giving rise to opportunities never before possible. But that reality also reveals a simple new truth: The more you are able to connect with others, the more others are able to connect with you. As threat actors become increasingly dexterous and experienced, that connectivity can be transformed into a tremendous liability for those organizations that fail to view the new digital business realities from all angles.

 

Facebook