Skip to main content

Who did it? Who cares? After a breach, you have far more pressing concerns

Cybersecurity coverage has taken an odd turn. In the not-so-distant past, when a data breach occurred, journalists would zero in on the kinds and amounts of data that were stolen, and the amount of reputation and bottom-line damage the breach would likely result in. Lately, though, the focus has shifted to who perpetrated the breach rather than how it happened.

That’s all well and good, because it gives the organisation that suffered the breach the necessary breathing room to establish the scope of the breach and mitigate the causative vulnerability. So, when the media is doing their level best to assign blame and your network is hacked, don’t be distracted. Here are five questions that are more important to ask than who was responsible:

1. “How did the attackers get in?”

You need to begin root cause analysis immediately: Determine whether the breach was based internally or externally, and was intentional or otherwise. Was it a hacker out to steal sensitive data, or simply a careless employee? To make these determinations, it’s incredibly important to have continuous monitoring and real-time network visibility prior to the breach. If security managers have an up-to-the-minute view of the trustworthiness of every connected device, they have a better chance of pinpointing the chinks in the armour. Equally important, if your logs are based on continuous monitoring rather than periodic (and constantly outdated) monitoring, they are much more likely to reveal the attacker and the means by which they were able to breach the network.

2. “What was lost or stolen?”

The time it takes to establish the scope of a data loss can be excruciating. It’s especially painful when a data breach affects consumers. If you can quantify the damage with speed and confidence, the breach will cause less harm in the long run. Notify affected users and management about what happened and what you’re doing about it. Also, alert the proper authorities. Know in advance the government mandates that apply to the type of breach you’ve experienced, and take the appropriate actions to comply with regulations.

3. “How can we fix this?”

Mitigating the damage is more important than placing blame, and speedy remediation is dependent on good visibility. The faster you can see and determine the size of the hole in your safety net, the faster it can be repaired. Companies have a clear fiscal incentive to minimise downtime, so this element is critical to running a profitable business. If you haven’t already created an incident response team composed of operational IT as well as representatives from various business units, do so as soon as possible. You’ll want ideas from all corners of the organisation, as well as buy-in across the board when a mitigation plan is put into action. Lastly, anticipate the questions that will undoubtedly come your way from the media and all concerned parties, and prepare answers in advance.

4. “What can we learn from this?”

In the vein of “Fool me once, shame on you; fool me twice, shame on me,” cyber defences must evolve intelligently, automatically and rapidly to prevent the same tactic from working twice. Pragmatic, real-world defence depends not on making a network impenetrable but on making it so challenging to crack that most attackers will eventually move on to easier targets. To that end, be as proactive as possible. Take a multi-layered approach to network defence that includes conventional components such as antivirus and firewall as well as endpoint protection that can limit the potential for malware to penetrate the network through known and unknown devices. Integration of your security systems is critically important. If your security systems are siloed, they’re not sharing information and automating workflows for effective defence and rapid response.

5. “Is the threat actually eliminated?”

Once a breach has been detected, tremendous energy is put into assessing the extent of the impact and stopping the damage. However, without proper visibility, most companies are left wondering if they are still being breached—that is, whether the attackers left undiscovered backdoors that will allow them back into the company’s systems later when everyone goes back to business as usual and vigilance is reduced. The only way to be confident that the threat has been eliminated is to obtain the necessary network visibility, and never let your guard down.

Though trying to hunt down the culprits may seem more exciting, asking these five questions—which is more complex and time-consuming—zeroes in on the key information needed to mitigate and prevent cyberattacks.

There’s something very satisfying about solving the riddle, finding the perpetrator and bringing him or her to justice. But these efforts are largely wasted in the world of cybercrime. It’s far more productive to channel your energy toward looking into the network for a fuller understanding of how the attack occurred, what was taken and how the damage can be fixed as quickly as possible. Next, make sure that the criminals can’t get back in and set up such impenetrable defences that they don’t want to try to get back in. Don’t be distracted by the relative glamour of finding the attackers. Answering the five questions above is the ticket to stronger network defence.

Pedro Abreu, senior vice president and chief strategy officer at ForeScout

Image Credit: Sergey Nivens / Shutterstock