How to prepare your organisation for a digital attack
Written by: Caleb Hill
It's only a matter of time before an attacker successfully infiltrates your organization, but that doesn't have to be a disaster if you can respond quickly and adequately. It's all about setting up security teams that can act in a structured and effective way.
Prevention is better than cure, but not all security incidents can be prevented because the attack surface is so large. Think of an IT environment as a fortified city: the guards have to monitor the entire wall around the city, but an attacker only needs one weak spot in that long wall to enter. When you translate that to the large and diverse surface area of endpoints, systems and applications that IT has to deal with, it's clear that it's virtually impossible to fully protect the walls. It's better to detect when the enemy has passed the wall so you can take action.
It is sometimes said that these days there are only two types of organizations: companies that have been hacked and companies that do not yet know that they have been hacked. Whatever type of organization you are - whether it's one that has virtually no defined processes or one that focuses on continuous security measurement and calibration - sooner or later you'll have to deal with an incident.
Incident management often focuses on limiting the damage by "washing the blood out", says Ashish Khanna, Verizon's head of Security Consulting & Architecture. "But that's the most dangerous thing you can do," he warns. "You need to focus on mitigation and quarantine so that you can do forensic analysis and post-mortem. You need to know what happened, what lessons you can learn from it, what the next steps are and how you can prevent it from happening again".
You need to focus on mitigation and quarantine so that you can do forensic analysis and post-mortem. You need to know what happened, what lessons you can learn from it, what the next steps are and how you can prevent it from happening again"Ashish Khanna, Verizon's head of Security Consulting & Architecture
Make sure you have the right teams
If a potential break-in is detected, the IT department must be able to act immediately and you don't want to delve into an organization chart. "First of all, identify who is part of the response team," Khanna advises. "The key to an effective team is an agile team that you deploy in a structured way. Part of such a structured approach are roadmaps, well-defined processes and practice scenarios. "Have a good idea of what the mitigation plan is," he says. Teams that have to act on the incident, must be able to act immediately without having to read in too much. You get a better idea of that plan if you regularly do simulations of successful attacks.
A characteristic feature of a company that can respond correctly to a digital burglary is the agility of the team that has to respond to the incident, says Khanna. "A response must be structured. It is important that processes are formulated so that you can deploy them when an incident occurs". In addition, it is important that you can immediately see what it is all about in order to be able to assess the impact. "Who are the owners of the affected products, what have been their behaviors and what information has been picked up about the products?
A register of incidents in which previous incidents are described is also useful. Such a register shows what happened, what caused it, how long the issue lasted, what data and applications were involved, and what measures were taken to regain control. This is valuable information for a team that responds to a new attack with possibly some similar characteristics.
Create a response plan
For example, research agency Gartner has set up a framework that can help companies develop such security processes: Continuous Adaptive Risk and Trust Assessment (CARTA). According to Gartner, the perimeter (the space within the wall of the fortified city, if you will) has not disappeared, but has shifted to the cloud. You still set up a perimeter, but instead of around the network, you build a security layer around users. In CARTA it's no longer so much about endpoints and network locations, but about users and their accounts.
The goal of CARTA is for organizations to focus on processes that can easily adapt to constant changes in risk and thus respond adaptively to threats and incidents. "Who responds when things go wrong? When an incident occurs, people soon find that it's not their problem," says Khanna. If you define and record the response in a roadmap, an organization can react quickly when a burglary is detected. "You need a formally reproducible process," says Khanna.
In addition, it is important that the plan is regularly reviewed to update it with modern insights. Khanna: "A plan that is five years old is usually not as effective. Attackers change their methods and tricks, and you have to be able to respond to that".
Practice with small teams
A crisis exercise is not only a matter for IT, but also for end users, Khanna suggests. "You clearly define who is responsible for applications and test scenarios in small business units. In doing so, operational IT and information security work together with the end user. This also reflects a changed mentality: one in which IT is once again at the service of the end user.
"Security shouldn't be a police mentality in which IT people run through the company to find out which end user has caused something," Khanna concludes. Instead, IT security should focus entirely on the business: "The customer is the business, that's the application owners. We need to rally behind them to make their lives easier and more secure, rather than telling people what to do".