Written By Harlan Carvey, Director of Intelligence Integration, Nuix.
The cybersecurity industry tends to focus its attention on what to do after a breach or a hack occurs. After all, this is the topic of discussion for the media, or an organisations’ partners and customers. “What does the victim do now?” But shouldn’t we at least be as interested, if not more so, in what the organisation should be doing before a breach ever occurs? This is how we’ve come up with the term, staying left of the breach – meaning before it takes place.
It’s pretty much commonly agreed upon within the industry that data breaches are inevitable. It won’t be long before the media outlets give us another Equifax, Three, Deloitte or Wonga (to name but a few) – and demonstrate the potential irreversible damage the breach may have on said organisation.
As the stories of these breaches emerge, we continue to see organisations remaining right of breach for far too long; that is, in pure reactive mode. Panicking and scrambling to collect information that may no longer exist – often days, weeks, or even months after the breach occurred. So, what exactly does this look like in practice?
Living right of breach
The first step to understanding the difference is learning what to expect if you choose to remain right of breach…
A sense of panic and dread
It’s only natural upon learning that your organisation has been breached that a sense of dread will begin to fall over any business leader. There is a correct way to react, but because you’re living “right of breach”, you begin to panic and scramble for answers. What resources or assets have been compromised? And, very often you can’t find the data you need to inform legal counsel and senior executive decisions due to inadequate incident preparation. Combine the lack of planning with a lack of experience and the overwhelming requirement to report to compliance and regulatory bodies, and the result is pandemonium.
The end result is that a breach becomes wildly expensive for any organisation – not just in terms of litigation – but in terms of brand reputation, to which it can have a devastating effect for even the largest of conglomerates.
Regulations and notifications
Depending on where your organisation is based, you will be held accountable to any number of compliance requirements and regulation bodies. One such regulation that centres around breach notification is the EU’s General Data Protection Regulation (GDPR). Organisations whose business operations are predominately based within the European Union (EU) have had no choice but to pay attention to the regulation once it comes into effect in May of 2018. After all, if they choose to ignore it, they could face significant fines for noncompliance. These fines are the greater of €20 million or 4% of the organisation’s global gross revenue. The time and money spent having to comply is surely the preferable option for organisations operating within the EU.
To the left, to the left
Now that we understand a little more about the costs of being breached, let’s turn our attention to the benefits of staying in that ideal left of breach posture, and some ways to remain there.
Plan for the worst, hope for the best
If you plan for incidents to occur, if you run your organisation “left of breach”, you can budget for the costs of planning and implementing your security strategy. Yes, there are one-time start-up costs and annual upkeep or maintenance costs, but all of these will become part of budget planning, and hence, the annual financial planning process.
By taking this approach, you can detect breaches much earlier in the threat lifecycle, which removes a great deal of the costs resulting from a breach. Through early detection and remediation, you avoid the costs of notification and the legal fees for subsequent lawsuits.
More importantly, if you’re only responding to a breach many months after the fact, it can very hard to say definitively what data was compromised. Detecting and halting the breach before the attacker can access sensitive data means you won’t have to deal with notification costs.
Why early detection is the way forward
When you build your infrastructure with visibility in mind, you naturally learn a fair bit about what’s going on inside your virtual walls. You begin seeing a great deal of the activity that’s occurring on your systems, both long-running and short-lived processes. As you begin monitoring your systems, even the most basic filters for process activity will illustrate suspicious activity.
This sort of visibility, particularly when coupled with system hardening and audit configuration, inherently leads you to understand and detect suspicious activity, as well as outright breaches, much earlier in the threat lifecycle. Rather than learning from an external third party that you’ve been breached, you detect the breach before the attacker can access sensitive data. As such, you can then state definitively that sensitive data was not accessed in your report to your compliance oversight body.
Endpoint visibility and monitoring tools allow organisations to detect the presence of malicious actors much sooner within the breach cycle. This then allows security teams to identify their entry point and respond with a planned approach before they develop a foothold within the IT infrastructure.
Getting to the left of breach
Getting left of breach means configuring your systems appropriately for your infrastructure and then utilise them for visibility.
When I say configuring your systems, ask yourself questions like:
- Why is our DNS or DHCP server running a web server and Terminal Services?
- Should both of those be accessible from the internet?
- Are our systems configured to provide only the necessary and defined services, and are those systems and services patched appropriately?
The purpose of system configuration is to reduce your potential attack surface, making it harder for cybercriminal to gain access to systems by forcing them to change the methods they use to attack your organisation.
Enabling endpoint visibility and monitoring the information collected allows your organisations to capture a complete record of an adversary’s access to your network. The appropriate application of threat intelligence allows you to filter through the vast amount of “normal” activity within your infrastructure that is indicative of day-to-day business, and alert on activity associated with dedicated adversaries. This process then gives you the ability to quickly filter through massive amounts of data to focus on just those relevant activities. The same is true for insider threats as well as a wide range of security issues.
It comes down to the saying “An ounce of prevention is worth a pound of cure.” Of course, you can justify spending large sums of money and time by waiting for a breach to occur. Once that happens, what choice do you have? Isn’t it better to take the time, money, and energy to focus on staying “left of breach”, rather than suffering from the enormous costs (financial, legal, brand) associated with being “right of breach”? Chances are your stakeholders and investors will thank you in the long run when your organisation is breached.
