Security Breach Management: Handling The Storm With Aplomb

2015 was marked by far too many digital security breaches, a trend that every company hopes to see reversed in the coming year. Unfortunately, as industry expert Leo Scanlon notes, it is unlikely that we’ll be able to stop them all. In this digital era, security breaches are part of the new normal.

So, what should you do when facing a security breach? The most important thing that you can do is stay calm. If you keep your wits about you, you will be better able to approach the problem and implement a solution to protect your clients and your company. Here is how to move forward in the face of a digital security breach.

Plan Ahead
While you may not be able to plan for the exact details of a security breach – if you could, then you could prevent it from happening – what you can do is prepare a preliminary plan of action for any future breach. Write out a general timeline for what actions need to take place and in what order. This way, when something does happen, you do not lose any time giving direction. All you need to do is to fill in the specifics of the event.

Communicate Clearly and Calmly
When a breach does occur, it is important to prioritize communication with your team and with your clients. Start with your team. Describe the event, review the plan of action, and make sure that everyone is clear on his or her role.

It can be worth it to sit everyone down to discuss the breach rather than send emails about the issue. This allows people to ask questions in real time rather than sending lots of follow-up messages. You might even consider serving everyone a cup of tea. Green tea reduces stress and can calm down anxious team members in a visceral way, moving them from high anxiety to centered focus.

After you have alerted your team, everyone can split off to appropriate tasks ranging from developing a patch to prevent system attacks to calling high profile clients. You will also need to contact a range of other people, including a lawyer and police.

Additionally, make sure your public relations department is ready to issue a statement and field phone calls. Give them a quick FAQ sheet and a directory of who to call about which issues. By preparing public relations as well as you can, you avoid clogging up other employees’ lines with client issues.

Talk and Train
While a security breach tests training effectiveness on the ground, this is also a good opportunity to schedule follow-up training. Then, while working to resolve this breach, note the areas in which employees struggle. These should be central to your next training session.

You should also contact some of your industry peers to find out what they do to prevent security breaches. This does not mean that you need to mimic their strategies, but if you know that someone is using a different approach, you should document clearly why you are doing something else. That way, if you do suffer a breach, you have demonstrated a well-thought-out strategy rather than an arbitrarily chosen system.

Big Fixes, Small Details
Ultimately, when you suffer a data breach, it is important to focus your attention on two issues: the big problems that need to be remedied immediately and the small problems that contributed to the breach but were overlooked during earlier development phases. Start big, and then shift to the small to protect yourself now and down the road.

For the sake of companies and clients alike, hopefully 2016 holds fewer security breaches. But, to make this dream a reality, every company will need to assess regularly its security systems and breach preparation. Failure to plan is planning to fail, so put that plan in place now.

Larry Alton
Writer
[ISACA Now Blog]

The Cybersecurity Canon: Cyberdeterrence and Cyberwar

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Brian Kelly: Cyberdeterrence and Cyberwar (2009) by Martin C. Libicki

Executive Summary

My interest in the Cybersecurity Canon project and appreciation for a common body of knowledge shared amongst professionals can be traced back to my time as an Officer in the Air National Guard.

Each year the Air Force Chief of Staff would issue a “reading list”; in 2010 Cyberdeterrence and Cyberwar by Martin C. Libicki was on the list under Mission, Doctrine and Profession. Back in 2008 Lt. Gen. Robert Elder, Jr., then Commander of Eight Air Force (8AF/CC), sponsored the study “Defining and Implementing Cyber Command and Cyber Warfare.” This book represents the results of that study. The reading list and, more specifically, this book were meant to inform senior Air Force leaders and decision-makers. The basic message of Cyberdeterrence and Cyberwar is: Cyberspace is its own medium with its own rules; thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace.

Review

On June 23, 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish a sub-unified command. The United States Cyber Command (USCYBERCOM), as we know it today, is located at Fort Meade, Maryland. The establishment of U.S. Cyber Command marked the ascent of cyberspace as a military domain. This book focuses on policy dimensions of cyberspace and cyberwar: what it means, what it entails, and what threats can defend or deter it.

Libicki’s background is non-cyber national security history and policy, and that knowledge and background will benefit readers unfamiliar with Cold War era concepts as they relate to cyber.

Cyberdeterrence and Cyberwar is divided into nine chapters. Chapter One covers the introduction and purpose of the book, which clearly is to focus on military policy as it relates to cyberwar. Chapter Two introduces readers to a conceptual framework for cyberdeterrence and cyberwar. It explains external and internal threats and defines cyberattack and cyberdeterrence. Cyberattack is the deliberate disruption or corruption by one state of a system of interest to another, and cyberdeterrence is the capability in cyberspace to do unto others as they would do unto us. Chapter Three asks, “why is cyberdeterrence different?” and focuses on analogies to game theory and nuclear deterrence. Foundationally knowing “who did it” is critical; today we think of it terms of attribution. All decisions, policy or operational, are based on attribution. Chapter Four considers cyberattack and the purpose of the attack. Potential purposes range from “oops” to rogue operators and the implications of each. Chapter Five offers a primer for a strategy of response. This chapter has relevance today as the idea of “hacking back” or “active defense” has become a popular concept in the strategy of response. Chapters Six and Seven outline “strategic” and “operational” cyberwar and offer conclusions on both. Chapter Eight is dedicated to cyberdefense and concludes that deterrence in cyber terms may be too problematic to offer much surcease from cyberattacks. It outlines the goal of cyberdefense to include architecture, strategy and policy. Chapter Nine is simply titled “Tricky Terrain” and offers the defend, disarm or deter triangle as an illustration of approaching a threat that cannot be denied. We know now that cyberattacks are a threat that cannot be denied.

Conclusion

Much has changed since this monograph was published back in 2009; and, while some cybersecurity experts may not agree with Libicki’s conclusions, we can’t argue the significance this work has as a historical text in the cybersecurity professional’s education. I would recommend Cyberdeterrence and Cyberwar for the Cybersecurity Canon. Reading this book in 2016 allows the reader to both compare and contrast Libicki’s conclusions against the backdrop of cyber events that have occurred over the last decade.

[Palo Alto Networks Blog]

The Best of Both Worlds: Building a Secure Hybrid Data Center with AWS

If you’re looking for a new car, you may be considering a hybrid – one that combines electric power for efficiency and mileage with traditional internal combustion to recharge the engine and extend the travel range. For many buyers, it is the best of both worlds, providing greater flexibility to extend your trip as needed. The same concept applies to a hybrid data center – one that combines your own, dedicated on-premises resources with the scalability and agility of on-demand compute, networking and storage resources such as those from Amazon Web Services (AWS).

As the insatiable appetite for compute and storage resources to support the business continues unabated, customers are using the public cloud as a way to augment their data centers more quickly and more efficiently than in the past. Initially, a hybrid approach was viewed as a step toward migrating all applications and data to the public cloud. In reality, many customers are settling on a hybrid approach as their new data center architecture.

In a recent conversation I had with a customer, two new physical data centers had just come online, and they were already over-subscribed. They were looking to AWS as a way to extend the life of their data center using a hybrid approach. When you think about it, a hybrid approach makes the most sense. First off, it allows you to start small and establish some guidelines around which applications and data should reside in the cloud. There will be legacy applications that cannot or should not be migrated. There will be data that, after careful internal analysis, does not belong in the public cloud. For new applications, you might look at adopting a simple cloud-first mentality that says: for new applications, look to the cloud as the deployment location. A more advanced cloud-first approach entails changing your application development methodology to one that is componentized, makes heavy use of APIs, can be updated rapidly, and can be deployed globally – in the cloud first.

From a security architecture perspective, a hybrid data center is an extension of your data center and therefore should be treated no differently than your physical data. This means that you should:

  • Know exactly which applications are running in the cloud and whitelist them to ensure they are the only ones allowed in the cloud
  • Segment the applications to control which can talk to which and limit lateral movement
  • Enable applications based on the user credentials and the business need
  • Apply threat prevention to block threats from accessing your cloud applications and data while also blocking them from moving laterally

When deployed in AWS, the Palo Alto Networks VM-Series can securely enable your hybrid data center, acting as an IPSec VPN termination point and as a virtualized next-generation firewall, protecting your AWS deployment with application control and advanced threat prevention. More advanced use cases include segmentation for added security and compliance purposes through VPC to VPC and subnet to subnet policies. In effect, you can mimic your physical data center security in AWS.

To learn more about how a hybrid data center with AWS might benefit your organization, check out these resources:

[Palo Alto Networks Blog]

The Growing Role of Cyber Insurance

The cynical would suggest that cyber insurance is growing as some look for a cheaper route to manage risk. However many see the cyber insurance industry as potentially the new enforcer of good security practices.

Over the last decade, we have seen regulation being applied, be it by nations or industry groups, and most have faced the same challenge; that is, regulation moves at a snail’s pace compared to the rocket ship that is the evolution in IT and cybersecurity. There is a clash between dynamic, evolving cybersecurity in which the bar of what is state-of-the-art continuously evolves, be it from new IT technology use cases, changing threats, or new practices to mitigate these risks.

The impending EU regulations, the Network Information Security Directive and the Data Protection Regulation Reform, both leverage the term and concept of state-of-the-art, suggesting that, in the latter, business should have regard for this cybersecurity capability relevant to the risk and, in the former, businesses should have at least state-of-the-art security technology.

Could the cyber insurance industry, in effect, become the dynamic new regulator of this in the future as cyber insurance adoption grows? Businesses will be eager to prove they are applying such state-of-the-art practices to reduce their premiums, and insurers will be looking to validate if a business can be insured and just what level of premium they should be offered based on the business’ capabilities.

As the cyber insurance market grows, it will surely become more competitive, and so, such analysis would seem key to being able to offer better premiums where the risk posture allows. An example of this is IASME (a UK consortium for small- to mid-sized businesses) tying cyber liability insurance coverage for small businesses to the UK Cyber Essentials program certification that aims to assure a basic level of cybersecurity. They are 1 of 4 accreditation bodies for Cyber Essentials certification in the UK.

The question all this raises is whether those in the insurance industry will have to become cybersecurity experts, and the likely reality is not, as there is already a skills’ shortage in the cyber market. What seems more likely is partnerships will be formed with the security industry so they can gather better intelligence on both the current threat landscape and capabilities, looking to validate their real-world effectiveness and identify best practices.

Much as home insurance is linked to where you live, cyber insurance will be linked to the industry you are in, and where you do business, to better identify the likelihood and scope of claims. Today some cybersecurity vendors, including Palo Alto Networks, already track such data and, with the Cyber Threat Alliance, can track and advise on advance threats.

As cyber insurance evolves, it will require a tripartite relationship amongst knowledge of the risk, relevant state-of-the-art capabilities to prevent the impact, and the skills to validate the ongoing application. It will be interesting to see if, in the longer term, insurers will build out their own list of approved requirements and capabilities. However, unlike most insurance services, which have been built from decades of knowledge to generate the actuarial data that balances premiums against claims, cyber insurance is still relatively nascent. I would challenge there are probably very few insurance markets that are as dynamic as cybersecurity. Only time will tell if the potential benefits for all, with insurers growing involvement in the cybersecurity space, come to fruition.

[Palo Alto Networks Blog]

For Cyberattackers, Time Is The Enemy

Current research in cybersecurity often has a narrow focus, detailing recently successful attacks and how those attacks were accomplished. Attackers are often represented as shadowy, nameless figures, with a special kind of mystique surrounding them. That Hollywood image couldn’t be further from the truth. In a new study released today, “Flipping the Economics of Attacks,” Palo Alto Networks has partnered with the Ponemon Institute to understand not only what motivates these attackers but also how we can turn the tables on them by taking away their financial incentives to attack.

The data also shows us a clear path to shift the economic motivation of attacks with two compelling facts:

  • Increasing the time it takes to breach an organization by less than 2 days (40 hours) will deter 60 percent of attacks.
  • Organizations rated as having “excellent security,” as compared to “typical,” took double the time to breach (140 hours).

To understand how to influence an attacker’s economic motivation, we must consider what I call the “adversary arithmetic,” which boils down to the cost of an attack versus the potential outcome of a successful data breach. If malicious actors are putting in more resources than they are getting out, or we decrease their profit, being an attacker becomes much less attractive. Using the survey findings as a guideline, let’s walk through what we can do to reverse this trend.

An Attacker’s ROI

Here is the situation today: we found that 53 percent surveyed believe that the cost of executing successful attacks has gone down, with more available malware and exploits, better attacker skills, and more effective toolkits as the primary drivers. This is important because as Moore’s Law shows us, increasing computing power over time, and in this case the automation and sophistication of hacking tools, makes launching a successful attack cheaper.

The survey also found that 69 percent of adversaries were motivated solely by profit, meaning that changing the arithmetic to increase the cost of attacks could prevent the majority of them from ever being launched. It is important to note that there is a spectrum of malicious actors, and organizations must always maintain awareness of potentially dangerous, highly targeted attacks, or nation-state led activity such as cyber espionage or cyber warfare. However, if we can de-incentivize anywhere near that number of attackers, we will see seismic change in the threat landscape.

There’s a common notion that attackers are motivated by big potential paydays. We found this to be the exception, rather than the rule, with average annual earnings from malicious activity totaling less than $30,000. This limited earning power becomes even less attractive when you consider the added legal risks, including fines and jail time.

The next step in our equation is how attack targets are selected. We found that the majority of attackers (72 percent) were opportunistic, not wasting time on efforts that do not quickly yield high-value information. While advanced nation-state actors employ lots of planning, think about the average attacker as the mugger on the street, versus the Ocean’s Eleven crew that spends weeks planning a complicated high stakes heist. When put into this context, organizations that prioritize making themselves a harder target will actively prevent a significant number of potential breaches.

Taken together, we have a simple picture of an average adversary: motivated by profit and going after easy targets in an environment where attacks are becoming cheaper. There is reason for hope though, as this same attacker is making a relatively small income, especially compared to cybersecurity professionals, with the added element of risk they face.

Time is the defining factor to change the adversary’s arithmetic. As network defenders, the more we delay adversaries, the more resources they will waste, and the higher their cost will be. We can interrupt the march toward more and more lower-cost attacks by taking a slightly different perspective on the problem. We need a prevention-based focus on the right investments in the right people, process and technology to defend the organization. Working together as a community to shift the economics of this problem, we can hit the core motivation for attackers and shift their behavior over time, bringing us to a world where cyberattacks are the exception, not the norm.

Read the full report for additional findings, including key recommendations for preventing attacks.

[Palo Alto Networks Blog]
English
Exit mobile version