Do you ever have that dream where you're back in college and you've somehow forgotten to attend one of your classes for months? If you fail you won't graduate - yet it is too late to drop the course. Not only are you sweating bullets about passing the final exam, but you've also missed countless other tests and assignments. Throughout the dream, you're kicking yourself: How could this class have slipped my mind? Yet you still find yourself powerless to ever to make it to class or study for the exam.
When you finally wake up, you're relieved (and, for a moment, happy your college years are behind you). This dream - or a version like it - happens to many adults who are feeling stressed over something in their lives. And if you're a security professional still dealing with school anxiety dreams many years later, it could be that you're jittery over your organization's ability to handle the all-too-common prospect of a major data breach. And why wouldn't you? According to the Ponemon Institute, the average cost of a breach has now stretched to $3.79 million.
But don't fret: It's not too late to earn a passing grade on your incident response. Just follow these nine valuable recommendations for preparing for and mitigating the inevitable compromise crisis - thus helping ensure you'll sleep at least a little more peacefully at night.
1. Risk Assessments/Gap Analysis
First things first: You need to understand what you're working with and what can potentially give rise to an incident. To answer this, you must focus on three of your biggest assets: your employees, your data and your IT systems. Keep an eye on recently terminated workers who may be holding onto a grudge (as well as the behavior of current staff). Chart where your sensitive data flows and with whom it's being shared. And evaluate the patch and configuration status of your systems and applications, as well as potential attack vectors they may offer.
2. Incident Detection
Many companies are getting better at identifying incidents early on, which is helping limit the amount of damage that saboteurs can unleash if they do breach your perimeter - an increasingly likely proposition. If you're still prioritizing prevention over detection, you could be making a costly mistake. Follow these suggestions to help improve your breach detection capabilities. Remember: It's important to be proactive, including regularly scanning endpoints across your network to search for malicious behavior that can indicate an active intrusion is underway.
3. Team Building
One of your biggest priorities should be to assemble a well-oiled computer incident response team (CIRT) - with each member handling defined roles and responsibilities, including threat monitoring, vulnerability assessment and incident handling. In many cases, a resource-constrained organization may lack the skill sets to handle all of these specialty tasks on its own, so partnering with a company that performs IR can be helpful. In addition, your CIRT must collaborate with other business groups, including public relations, legal, human relations and the executive team, especially following an incident.
4. Response Plan Development
If an incident happens, you need to be ready to go. You must have already developed, documented and drilled a clearly defined procedure for incident response. The response plan should specifically state how you will address each incident class, from garden-variety threats to full-on network compromise, as well as from initial detection all the way to post-mortem and lessons learned. And don't forget the most important part: Test your plan regularly.
5. Partnering Up
As we've already alluded to, if you are like most companies, your IT staff is already beleaguered, never mind ready to handle all of the network analysis forensic data acquisition that is required to address a major incident. Having an already established relationship with a security partner you have on speed dial - think of Ghostbusters for hackers - will help go a long way to mitigating the fallout and help put you in a better position for it not to happen again.
6. Attack Simulation
An important part of incident readiness is to find out how susceptible you are to an incident in the first place. One way you can accomplish that is through tabletop exercises that won't disrupt your operations. In addition, you can contract with your security specialist partner to orchestrate real-time attack exercises that evaluate the propensity of your employees to fall for, for example, a phishing attack, as well as your own ability to respond to a real incident. Results of these exercises are essential to understanding any gaps in your incident response plan, and enabling you to continually update it and ensure maximum efficiency.
7. Triage Training
Minutes matter more than anything following an incident, whether it's at a disaster site, in a hospital or on a compromised network. In the immediate aftermath, there will be many moving parts, but you need to already have the understanding of how to remove the guesswork and prioritize your efforts so you can collect, analyze and act on information as quickly as possible, especially in the likelihood that you are working with depleted resources.
8. Malware Reverse Engineering Training
If you can get your hands on a weapon used by your enemies, it's a no-brainer to study and understand it as much as you can. This will help you not only better comprehend how this particular attack occurred, but also will arm you with critical insight you can use to help prevent future intrusions. While many intruders are opting for methods like phishing stolen credentials and using legitimate administration tools to progress their attacks, malware still plays a big role in breaches, especially in obtaining additional privilege-elevating credentials and attacking point-of-sale systems.
9. Threat Intelligence
It is important for you to stay up to date on the latest cybercriminal patterns, attack techniques and malware trends that your adversaries are using so you can be more proactive, instead of merely reactive. Our recently released 2016 Trustwave Global Security Report is a good start to field the latest trends, but having real-time access to a security provider with global intelligence and 24x7-staffed security operations centers is a far more effective option.
For more information on how Trustwave can help with incident readiness, visit here.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.