Anticipating the Breach

Transcription

1 Anticipating the Breach What to do before, during and after an attack. CONTENTS Before... 2 During... 3 After... 4 Conclusion... 5 Brought to you compliments of Security incidents may be inevitable, but the consequences of a data breach don t have to be. The most egregious breaches today are often the result of a lack of early detection, security readiness and timely response. When organizations fail to integrate their people, processes and technology, they are limited in how quickly they can detect and respond to an incident and keep it from becoming a breach. The result? Increased risk for every security incident they face. Organizations need to move to a proactive cycle of preparation, detection and response. This means organizations have to stop simply throwing technology at the problem. They need to do more than react from the hip to incidents after they learn of them and instead take a holistic approach that addresses the before, during and after stages of a potential breach. A TECHTARGET WHITE PAPER

2 Before Prepare early and often: A sound incident response program is key to making sure an organization is ready for a breach scenario before a security incident occurs. While many organizations may believe they have a breach plan in place, it is usually a manual that has never been tested. Preparation isn t just a checkbox document that s developed once and collects dust thereafter. It s a living program that is fed by a number of factors throughout the preparation and response cycle. An organization should find ways to build, test and refine its program so that everyone executing planned practices during and after a breach have so thoroughly mastered them that it becomes like muscle memory for how they ll react in a real incident. This ensures that all the right cross-functional teams know what to do as soon as the alarm bell rings so they can react quickly and effectively. Organizations shouldn t develop policies in a vacuum. As incidents occur in the future, organizations will take those lessons learned and feed them back into their response program. Build an effective team: It might be challenging to find security professionals with the necessary skills and experience, but it is crucial to develop a team that can execute when things go wrong. Organizations should make it a priority to continually develop and grow their people by assessing their skills, identifying gaps and training them in an innovative manner. The more leadership can keep the preparation process engaging and even make it a team-building experience, the better it can help response teams work smarter. As a part of that development, provide security teams with a safe learning environment to better understand how attackers think today and get operational experience. This helps them to better understand attacker motives, tools and tactics and gain the knowledge to help prevent, detect and respond to incidents more quickly. Integrate global intelligence: As today s adversaries continue to use more sophisticated tools, tactics and procedures to infiltrate an organization, security teams and executives need to be continually kept up to date and aware of global adversary trends and campaigns. Organizations should create a defined intelligence program that informs security executives, monitoring teams, and incident response teams of current and emerging threats with enough time to effectively assess risk and implement countermeasures. This actionable intelligence ultimately helps organizations be proactive rather than always reacting. Institute real-time monitoring: Threat actors don t take breaks and they don t work within any specific time zone, which is why constant vigilance is necessary to quickly detect and respond to incidents. Organizations need to monitor for threats 24/7/365. Leaders should ask themselves: 2

3 Do they have the right infrastructure in place and are they properly staffed around the clock to detect advanced threats? Is their monitoring team armed with both technical and adversary intelligence to help them detect and respond to attacks faster? Do their incident response teams have a clear line of site into their monitoring team so that when an incident occurs, knowledge is shared for faster response? Are they armed with relevant threat intelligence to help them contain and eradicate the threat? Consider cyberinsurance: Organizations realize the risk of data breaches can never be 100% mitigated. When a breach occurs, organizations are required to comply with various breach notification laws, especially across the United States and European Union. To offset the financial risks associated with the consequences of a breach, businesses are now augmenting their security programs with cyberinsurance policies. Businesses should work with their brokers and discuss how measures to address security readiness, threat detection and incident response may reduce their policy premiums. During The faster an incident is detected and prioritized as critical, the faster resources can be allocated and response activities can begin. The speed of detection during a security event can make the difference between a minor incident and a major breach. Today s adversaries execute attacks not only on a broad basis, preying on vulnerable users and unpatched infiltration points, but also with focused, targeted activity. The low-and-slow attack has become quite effective. Attackers are able to use zero-day exploits, hacker toolkits, social engineering attacks and other sophisticated tactics to evade detection and eventually exfiltrate data without notice. In fact, many attacks go unnoticed for months or even years. And once a threat indicator is made known to the public, sophisticated threat actor groups often will change their tactics and infrastructure. This is why organizations need more than perimeter-based security measures. They need people, technology and processes to be integrated to enable faster detection earlier in the kill chain. Threat intelligence feeds security technologies and arms SOC and NOC teams to relevant current and emerging threats. On the other hand, these teams need to actually know how to consume this intelligence to assess risks and prioritize resources. Apply intelligence: Threat intelligence can help inform an organization of global and industry-level trends and campaigns that may be targeting them and offer insight into what assets the threat actor might be after. With the right level of global intelligence, organizations can be put on the offensive and actually hunt for indicators within their environment. Making decisions based only on knowledge of the activity within an organization s 3

4 environment is only looking at a fraction of the picture. Organizations need to understand and apply intelligence on the global threat landscape both technical and adversary intelligence. Being informed that there s a campaign targeting an industry is only the beginning. Organizations need to know details around the campaign: the person, group, or nation-state that is behind the campaign; the name of the malicious file that the attack group is using; phishing subject lines, hashes, and addresses being used. This helps organizations to detect threats faster. This is the type of intelligence that is useful to share with security teams so they can hunt effectively. Detect threats early: Who will apply this threat intelligence? Technologies can detect known threats but the amount of event logs created by said technologies can reach hundreds of thousands a day. How do security teams know which to actually investigate and take action on? Organizations who have suffered tremendously often realize that they actually did see the indicators there were just too many alerts to know what was truly critical. There needs to be a way to prioritize alerts and focus on the critical few. Some organizations build this ability internally by purchasing intelligence and a multitude of advanced technologies and then hiring a monitoring team, an intelligence team, a response team and more. And since threat actors don t keep office hours, monitoring teams especially need to be actively working 24/7 and this can be costly. This is why many organizations look to create relationships with third-party partners who can complement and extend the technical and human resource capabilities of their own security programs. This partner should provide active 24/7/365 global monitoring and analysis via automated systems and skilled analysts to match the global threat activity with events occurring within the customer s environment. Can monitoring proactively look for known indicators or refer to historical log data to identify a targeted attack? Teams need to be able to prioritize events within the environment how do they know what is truly critical? When questions arise, you actually want to be able to pick up the phone and talk to the same familiar voice as if they were within your own company walls. After It s inevitable that incidents will occur, and when they do, it s imperative to act quickly and effectively. The goal of the response team is to contain and remediate as quickly as possible so an incident does not result in a breach. Attackers, while driven by different motives, most frequently are trying to exfiltrate data for financial gain, trade secrets or a competitive advantage. 4

5 Often they take extended periods of time to do this, so for organizations that have developed that muscle memory as part of their readiness preparation, it becomes much easier to put the incident response plan into action effectively. With the right people identified and in place, and with the processes tested and already refined, response time is much quicker. When a response team is activated to investigate the validity of a potential breach or to respond to a known critical intrusion, these teams are often in discussions with their cyberinsurance team, their lawyers, and usually outside experts for improved understanding of and visibility into the attack. Once an incident occurs, response teams need to act right away without worrying about legal and contract terms, working out service level agreements, or working through access and clearance details. If an organization is in the beginning of response activity or realizes they need assistance part way through, getting external support is more costly in these emergency situations than if they had an incident response partner on retainer to begin with. Once that plan is put into action and the dust has settled, it is time to do a post-mortem, have a final executive briefing, and incorporate lessons learned to refine the security program and the response plan for future incidents. Doing so effectively closes the loop for continual readiness program improvement. Conclusion Organizations need to think beyond the perimeter and expand their security program past exclusive heavy reliance on technology. Symantec can help organizations of all sizes and across all industries globally to combat today s sophisticated adversaries. By becoming an extension of an organization s security team, Cyber Security Services can help organizations attend to the before, during and after stages of an incident and reduce the business impact of an attack while ultimately improving their ability to anticipate and prevent a breach from happening. To be effective, a security program needs integrated people, processes and technology. Symantec Cyber Security Services becomes an extension of an organization s security team and is backed by over 500 experienced global cybersecurity professionals. This portfolio enables organizations to proactively get ahead of emerging threats and keep incidents from turning into breaches. DeepSight Intelligence follows hundreds of thousands of adversaries around the globe to provide a deeper understanding of modern malicious actors and their tools, tactics and procedures. Organizations need both technical and strategic adversary intelligence to become predictive and get ahead of emerging threats. 5

6 Managed Security Services keeps an organization focused on critical threats via 24/7/365 global threat monitoring, hunting and analysis by a designated team of cyberwarriors across SOCs in Europe, Asia and North America. Incident Response provides incident readiness and response plan development activities to prepare teams and processes before an incident occurs. Once compromised, experienced response teams are deployed to contain and eradicate a threat and keep incidents from turning into breaches. Security Simulation provides a live-fire, multistaged training experience that instills operational knowledge of today s sophisticated attacks. Exercises are available via a cloud-based virtual experience and as a one-day, onsite instructor-facilitated workshop. In summary, the goal is to reduce the time between detection and response and limit the business impact of any cyberthreat. To enable fast and efficient detection and response, an organization must establish the preparation and readiness of its security teams and response programs before an incident occurs. Symantec can help develop the critical operational experience necessary to combat advanced threats and work with organizations to develop their incident response programs. Before and during an attack, Symantec provides real-time monitoring and advanced threat-hunting services that can help pinpoint attacks 24/7/365, particularly when analysts are armed with timely and relevant threat and adversary intelligence. After the attack, Symantec can help organizations work with speed and precision to contain and mitigate a threat and restore operations back to normal. Lessons learned from these activities are fed back into the overall security program and are used to refine the incident response program. Threat and adversary intelligence should be a core component of any customer s security program to enrich security technologies and arm security teams to better assess the risks of threats, implement countermeasures and respond more efficiently. A holistic approach to security that incorporates people, technology and global threat intelligence will help organizations to be more resilient to attacks, and move from reactive to proactive to get in front of emerging threats. 6