Do your attackers know your network better than you?
Cyber crime is a lucrative business. In fact, to make the cyber attack as profitable as possible and to minimize the risk of getting caught, attackers and black hat hackers take their time and will in most cases investigate their potential target before they go in for the steal. They comprehensively study the network with the aim to find weak spots which could be exploited, and they could even go as far as to spy on key personnel and study their behavior on the corporate network to find loopholes and thus a way in.
While attackers have the advantage of time on their side, organizations must adopt strategies to be forward thinking and to identify any ‘weak spots’ before an attack occurs. In short, they need to take proactive measures to understand their network better than their attackers.
Know where your data is
First and foremost, it is crucial for organizations to fully understand where data is. Ensure that data maps are up to date, that all data repositories have the correct audit and control polices and that above all, you fully understand where the most critical data is stored. Further, ensure that all the correct policies such as data access, data governance and data protection have been implemented, as well as ensuring that these policies are enforced in a controlled sense.
For example, if the organization’s “crown jewels” in terms of their data is their Intellectual Property, client or Personally Identifiable Information (PII) / PCI data or financially sensitive information, it is imperative that the organization and the IT team / CIO not only fully understand where that data is, but also have insight on who has access to it, and how to fully protect it.
Know your Incident Response fire drill
Once all the data entry points have been established, the next step would be to fully understand the organization’s incident response policies, as well as the plan that should be followed in the event of a cyber security incident. One important factor to bear in mind is that not all security events are equal and it is vital for organizations to classify different types of incidents so that the response that is activated is in line with its scope and severity.
Unfortunately, this is an area where many organizations struggle. It means that they may not be able to respond to that specific incident within the appropriate time frame, or that a team may not be drilled in the correct procedure to follow.
For example, an attack that occurs as a result of malware planted in the corporate network requires an extremely different approach to one in which an employee has exfiltrated confidential corporate data. Of course, in both cases, the organization would need to investigate the actual exposure of the attack. However, if the risk is determined to be relatively low, the relative response may be to close the loophole and remediate the specific issue. On the other hand, in higher risk situations where employees or customers may be involved, the response team and the response would be completely different and the organization may experience financial loss or reputational damage.
Don’t count on security alerts – start looking before they come in
Although there are many tools and technologies readily available today to help organizations detect data breaches, it is important that organizations become proactive in their understanding to determine their capabilities of handling the vast amount of security alerts, as even the best perimeter defenses only tell half the story.
On any given day, there will be countless security alerts coming in from the firewalls, intrusion detectors, DLP tools and other systems – however, these mainly arrive once the damage has been done. Worryingly, in many cases, the real security risks, worthy of further investigation, may get lost in the mountains of incoming security alerts and the organization will continue to be in the dark about the breach. This can be exacerbated by the fact the once a risk is identified, the team may not have the ability to view the status of the various end points.
Yet it is this insight into how the endpoints have been infected which will enable the organization to take appropriate responsive steps. For example, a security team may mistake malicious activity for a software update that they were not aware of and which would not raise any alarms, in the normal course of day to day operations.
By understanding the corporate environment, and having an active view of the “crown jewels”, organizations will spot behavioral changes within their environment and identify an acceptable “baseline” if any changes occur.
Once these processes are well managed, organizations can correctly categorize the various security alerts, qualify them, and understand how to respond appropriately.