Early detection offers the chance to reduce the cost of a data breach, but companies need a breach incident response plan to take advantage of that knowledge.
"If you have a plan, you'll be ahead of most organizations," says Rick Kam, president and founder of the post-breach response consultancy ID Experts. ID Experts, which has worked with hundreds of IT organizations to help them clean up after breaches, has found that companies that seek its help almost never have an incident response plan. These same IT organizations may have disaster recovery or business continuity plans, but no plan for responding to a big data breach.
According to Ponemon estimates, an incident response plan can help reduce the cost of a breach by as much as $42 per record for breaches involving personally identifiable information. Step one to developing an effective plan is to assess the business impact if a breach were to knock out a critical asset, shut down a key process or expose vital data. "Then determine the actual tactical plans to respond to a number of threats to that element," says Tran.
Similarly, by doing best- and worst-case scenario planning, IT organizations can determine whether response efforts will be centered on gathering forensics to bring an attacker to justice or, more commonly, getting operations back up and running as quickly as possible. "I've seen people go down rabbit holes and waste all sorts of time," Liu warns.
When an incident is discovered, Liu recommends taking a deep breath and reassessing those goals to avoid knee-jerk reactions that can lead to locking all systems down, buying unnecessary software "and just responding too quickly without an endgame."
Some organizations spend too much time trying to attribute the attack to a specific attacker. John Walton, principal security manager at Microsoft, thinks it's worth understanding a company's potential attackers before a breach happens, since that can help prioritize spending and develop defenses. But when a breach incident is in progress, attributing it to a single source shouldn't be a priority.
"Incident response teams can focus too much effort on trying to understand the adversary or trying to ascertain who it is," Walton says. "That can take away a lot of resources and valuable time [from] doing other recovery efforts."
In addition to deep breaths, documentation and testing also are important.
A breach response plan should lay out procedures and processes for containing a breach, putting the forensics plan into action, and communicating your breach plan to partners and customers. It should also identify which experts will be carrying out those processes, says Melissa Ventrone, an attorney who works as an associate in the data privacy and security group at the law firm Wilson Elser. A team of technology, legal, forensics and crisis communication experts should be formed in advance and review and practice the plan. "Policies are only as good as the people who abide by them and follow them and test them and make sure they work," Ventrone says. "The time to learn whether or not your documents are in place, or whether you can follow policies, is not during an emergency."
There's a balancing act here: Organizations should conduct breach management exercises at least once a quarter, says Tran, but he recognizes the risk of overtraining staff and causing fatigue. To avoid "organizational thrash" that may follow an actual incident, Tran recommends cross-training, so that the team can set up a sane work rotation during a crisis.
"A common pitfall in operations is you leave folks in place in their jobs way too long," he says. A forensics expert working 12-hour days examining log data will burn out quickly without some kind of backup staff. "There needs to be enough relief pitchers out there."
The Breach Advantage
While incident response plans are built to help organizations get back to normal quickly after a breach, IT teams should recognize that a major security failure likely will change the company and how it thinks about security. "Your whole outlook changes," says Lucas Zaichkowsky, an enterprise defense architect at security firm AccessData.
These changes can be good or bad. Bad changes such as lost revenue, brand damage, customer churn and competitive damage can be limited through effective planning. Minimizing the damage can also prevent bad change related to a company becoming overly cautious and pulling back on innovation. Good changes, based on lessons learned from the breach, should be maximized to make a meaningful improvement in security operations down the road.
"There are a lot of normal security operations that still get breached," Zaichkowsky says. "As they go through that, they learn a really valuable lesson: that the everyday noise in security they defend against -- the spam and rogue AV pop-ups, the junk -- is extremely different from defending against a real attacker that's going to steal data."
Building up a defensive posture equipped to defend against those kinds of hacker attacks is a good outcome, he says.
One security practitioner at a large financial organization says his company has learned important lessons from the recent sting from a substantial and very public breach. "Sometimes a data breach is exactly what a big organization needs to get its security act together," said the security pro, who asked to remain anonymous.
A massive problem is the only thing powerful enough to instill meaningful IT security changes at a company, the security pro says. For years before the incident, he says he went blue in the face warning about potential threats and asking for additional budget.
Organizations that have been through a breach are generally more willing to spend on the resources needed to respond effectively and reduce the risk and impact of breaches in the future. "Usually, it's a fairly big wake-up call that they've got to change what they do," says Liu.
But turning over a new leaf means integrating effective postmortem analysis into the breach response.
"After the initial incident, take the time to plan out the lessons learned," Liu says. "Not just cleaning up and not just getting secure, but making sure you stay secure." That extra work will add to the post-breach expense, but it's a cost worth bearing.