Don’t Panic: Six Steps to Surviving your First Breach

February 6, 2015 | Joe Schreiber

So you’ve come to terms with the truth of the world; eventually, you’re going to suffer a security breach. Maybe it won’t happen this month, or this year, but as the great sage Tyler Durden so incisively observed,

“On a long enough timeline, the survival rate
for everyone drops to zero.”

Getting breached doesn’t determine whether or not you have a good security program in place — but how you respond to one does.


Image courtesy of www.minddisorders.com

Once you accept that everything that can go wrong will do so at the worst possible time, there are things that can be done today to help rein in the trials of the future — things you can set in place to allow you to expect the unexpected.

Disavow yourself of any notion that the work you do in network security is “protecting” the company’s assets. Your mission is to analyze how the network can be attacked, with the hope that you can control the battlefield elegantly enough to be able to respond to all attacks adequately. Network security is as much about technology as the game of chess is about little carved figures on a checkered board.

So, thinking strategically, what can be done today and what can be put aside for later? The following are 6 key actions you can take today to prepare you and your organization and help you when your executive team is breathing down your neck for answers they wanted an hour ago.

Organizational duress

It’s not the technical aspects of a security breach that will test you — indeed such events usually give people opportunity to bring the full extent of their skills to bear — but the organizational duress that results. Repeat after me: “Don’t panic!”

  1. Build relationships outside of the IT department

    If you like meeting new faces around the organization, a security breach provides ample opportunity to do so — at the worst possible time. A breach is going to involve personnel from a wide slew of departments: legal, executive, and PR to name the obvious candidates. Having an established channel with these groups and an understanding of how your and their jobs will interact during a security breach can save a lot of rushed drafting of paperwork and tense meetings during a time of crisis.

  2. Get the “I told you so” off your chest now

    We have a notion in infosecurity that the work we do is possibly the most important thing in the company; that without us, the whole organization would fall to its knees, raided by bandits. It’s time to accept some cold hard facts: There are much greater risks to a company’s operational capacity and profitability than a security breach. Remember, your job isn’t to guarantee this won’t happen but to mitigate the impact when it does.

  3. Comply with regulations, and then go further

    This may be preaching to the choir — we understand that Compliance Is Not Security — but understand that a security control that isn’t monitored is worse than no control at all. An Intrusion Detection System (IDS) that doesn’t have someone actively administrating it and looking at the alerts is just another target for intruders to use against you (and one with significant access to all network traffic!) Just because you’re in an industry required to keep all log data for 90-days doesn’t mean you shouldn’t store logs for longer periods. After all, log management should be part of your security solution, and security breaches don’t happen in a matter of minutes — the initial signs of intrusion and its origin may show up in logs from months ago. When you need them, you’ll be glad you kept them.

  4. Give everybody the answers they need, not the answers they deserve

    From end-users to executives, the No. 1 priority during a breach is information — information that’s going to take time to acquire. Making clear decisions and acting on them is the top priority during breach discovery and remediation. Give your users clear, absolute answers on why you’re shutting down large portions of the network unannounced and then do it if that’s what’s necessary. While it’s critical to share information about the incident, it’s more critical to actually investigate it. Consider setting up some type of rapid response communication to stakeholders to avoid the inevitable time wasting one-off replies to “What’s the status?”

  5. “When you have eliminated the impossible, whatever remains, no matter how improbable, must be the truth.” - Sherlock Holmes

    The perpetrators of the crime you are investigating are just human beings — it’s unlikely they possess psychic powers, supernatural levels of intelligence or the ability to time travel. During the investigation you will encounter many “How did they do that?” moments. The simplest answer is usually correct. Keep a clear head and stay rational, this is not the time to take a trip down the rabbit hole. What you are trying to unravel in days, the intruder may have taken months to put together, but remember: You have the advantage of being able to work backwards to the beginning of it all.

    This is the time when those checklists of things to cross-examine during more mundane investigation tasks become invaluable. Between the forensics, remediation and information gathering your sanity will be tested; however, nothing keeps your sanity like a good list of things to reference against to know you’ve left no stone unturned, no metaphor unexplored.

  6. Practice makes perfect

    I know this one is obvious, and I don’t intend to insult your intelligence by including it here, but I also know you’ve been wanting to get some bench exercises performed in your security group for quite some time — and yet, it keeps getting postponed in favor of more pressing, real, work.

    Stop it, now.

    Your work as a security professional is absolutely *centered* on the inevitability of the worst-case scenario. Why aren’t you preparing for it? Practicing it? Has your company engaged the services of a pen-testing company recently? Did you treat their actions as a breach to be investigated? Did you match what you were capable of detecting and investigating against the report of what they did?

    No matter what it takes, get the practice in now — because when the time comes for points 1–5 to take effect, the last thing you want to be doing is making this all up as you go.

Now, if you could learn everything you needed to know about investigating and recovering from a security breach in a six-point article, those who have been through one would not speak of their experience in hushed, fearful tones. Unfortunately, like many things in life, only going through the real thing is going to prepare you for the next time.

Joe Schreiber

About the Author: Joe Schreiber

Some random dude on the Internet.

Read more posts from Joe Schreiber ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial