Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3
(Continued from part eight in our series on Canada's Digital Privacy Act, where we were discussing how NIST CSF can be tailored to assess against a specific requirement like the DPA.)
Let us assume that you’ve diligently followed the five Core Functions of the NIST Cybersecurity Framework (CSF) in order to best prepare yourself for the Canadian Digital Privacy Act (DPA). Likewise, let us also assume that you’ve briefed your Board of Directors, you have rigorously assessed your overarching cyber readiness and that based on the CSF, you have made significant improvements to your cyber defensive posture. Nonetheless, you get that 3:00AM call that your enterprise infrastructure has been breached and a significant exfiltration of customer, client, or patient PII has occurred. Although you won’t be happy to receive this call, the degree of stress you will encounter will be directly related to how well you’ve war-gamed out this event in advance. In other words, don’t wait until you’ve been breached to think about the next step – ASSUME you will be breached, because sooner or later, even with the best effort to prevent, you still might experience such an event. To develop your preparedness, here are three simple steps to take to prepare you for that dreaded day.
Protect your data
In 2015, the median number of days that attackers were present on a victim’s network before being discovered was 146 days, (source: Symantec 2016 Internet Security Threat Report found at: https://www.symantec.com/security-center/threat-report) which is a lot of time to steal whatever data they are looking for. However, even if you experience a data breach, if they can’t steal your data or compromise its integrity, there will be less damage to your organization, no matter how long it took for you to discover the breach. So, we recommend that you classify your data to determine what data is important and sensitive, and take measures to protect it in the event of a data breach, such as using data loss prevention (DLP) with SSL decryption capabilities for data in motion. DLP with SSL decryption will detect and prevent attempts to access and/or exfiltrate data without authorization and, based on your policy, block it or encrypt it so that even if it is stolen, it cannot be read.
Have Your Incident Response Team Ready to Act
You can’t deal with a breach on your own, unless it’s what you do for a living. So, we suggest that you have a retainer with a professional, well established Incident Response organization that has the resources and experience to act immediately to mitigate the impact of your breach. They can do this using remote and/or on-site investigative support. Incident Response organizations that have access to not only tools but also to massive global intelligence networks are best – because they can more quickly and accurately determine the source and nature of your breach, and perform forensics to help you minimize the chances of another breach. Since they do this for a living and you don’t, this is the best way to be ready to respond to a breach and restore “business as usual” as quickly as possible.
Quickly Determine Exactly What Happened and How
Your Incident Response Team will work to determine where the cyber attackers embedded “command and control” nodes across your network, what they have accessed and how to isolate and remove their presence, and block their attempts to further steal or compromise your data. To facilitate a resilient cyber defense in depth, we recommend that you deploy technologies that give you deep visibility into your network (including encrypted traffic). Like a security camera for the network, you should be able to record such network activity, so that you and your Incident Response Team can replay and analyze what happened, where, when, and how. This detailed, historical, time stamped data will dramatically improve the efficiency of your incident resolution and forensics activities and help deliver a faster, more precise, and more complete remediation. Ultimately this will resolve the issues faster and deeper, thus helping you to thwart subsequent breach attempts.
Bottom line
Historically, many organizations fail to reveal the full scope and breadth of their data breaches. In fact, they often fail to grasp the full extent of compromise and the magnitude of the damage done by breaches. To not only avoid breaches, but to avoid the systemic collapse of your cyber posture if a limited breach occurs, it is best to maintain a specialized team on an Incident Response Retainer basis so that whenever breaches occur, they will be at the ready to effectively assist you in recovery. To avoid breaches in the first place, maintain a rigorous defense-in-depth cybersecurity program that not only hardens devices, but that also deploys data loss prevention with SSL decryption capabilities to detect and prevent nefarious attempts to access or exfiltrate your data. By having such technologies that can provide you with deep visibility into your network, and with an Incident Response Retainer in place, your organization will be much better prepared to thwart breach attempts and to respond to them if they nonetheless occur. We’re ready to help. If you would like to begin working with our team, click here and we’ll have one of our specialists reach out to you.
Up next is our final blog in the series..."Building Out an End-to-End DPA Strategy"
For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa