A primer on the keys to a complete cybersecurity incident response plan

Inside counsel that understand cybersecurity become defenders of their companies

Part one of this series provided a basic framework for today’s cybersecurity environment through an introduction to cyber-vernacular designed to provide legal counsel an opportunity to work productively with their chief information security officer and chief technology officer. An understanding of those basic concepts is critical to planning and coordinating an intelligent response to today’s cyber risks. Part two provided a discussion of a few of the major cyber-attacks that have plagued organizations. Understanding the nature of these recent cyber-attacks is a necessary step to manage and combat current risks. More importantly, you should be aware that the attacks are increasing in sophistication and continuing to evolve. The high stakes game of cat-and-mouse that is cybersecurity is played out every day and the mouse has gained much ground.

With the basic tools in your cyber toolbox and some explanation of how cyber-attacks are playing out, this final installment will discuss strategies to address today’s cybersecurity risks.

The Target: Your Organization’s Sensitive Data

It is well-understood that organizations create and store a great deal of confidential electronic information about their products, finances, employees, customers and intellectual property. Most of this information is now collected, processed and stored on computers and accessed across global networks on other computers. The protection of this confidential electronic information is a fundamental business requirement that presents a complex challenge to information security personnel on a daily basis.

As previously discussed in part one of this series, the security workflow generally encompasses three phases:

  1. Detection, which includes firewalls, intrusion prevention systems (IPS) and data loss prevention.
  2. Incident management, which involves the monitoring and detection of security events.
  3. Incident response, which deals with the containment and investigation of malware, and the recovery from an attack.


Creating a Cybersecurity Strategy Based on the Reality that Your Perimeter Will be Breached

The easiest way to visualize the methodology many organizations use to implement their network and information infrastructure protection scheme is to think about it in terms of layers. Think of a company’s most valuable electronic information as the Earth’s inner core and each layer of protection as one of the Earth’s layers. And while the naming of these protective layers will no doubt vary from one organization to the next, the fundamental goal will not vary—developing and implementing strategies to protect sensitive and confidential electronic information from both external and internal threats.

There are four key components to consider when developing your cybersecurity strategy.

1. You must understand the cybersecurity risk in relation to your organization and its critical business operations. Defining and assessing that risk will be specific to you.

2. Your strategy must involve an inter-departmental team that brings together individuals responsible for IT infrastructure, technical security, information assurance, physical security and legal protection. Without a collaborative effort by these key stakeholders, any strategy is doomed to fail.

3. The strategy must establish a multi-layer protective monitoring system to prevent and deter both the insider threat and external attacks. As outlined in part one of this series, this comprises tools such as:

  • Firewalls
  • IPS
  • Data-loss prevention solutions
  • Security Event and Information Management software.

4. The team should develop a detailed response plan for when a breach occurs because despite all of your best efforts, it is no longer a question of “if” a breach will occur, but “when.” Those who fail to prepare should prepare to fail.

Protecting the Most Vulnerable Enterprise Target

It is this fourth and final step where most cybersecurity response plans fail. Organizations put so much effort into layered perimeter detection and defense that they get a false sense of confidence about a breach not occurring. In many cases, a network has been compromised without detection. The Ponemon Institute recently published research, “The Post Breach Boom,” showing that the average malicious breach takes 80 days for the breached organization to detect and more than four months to resolve. Every hour and every day that the organization doesn’t begin remediation is an hour and a day with more potential damage and cost.

When a high-profile security event does occur, the ensuing fire drill is chaotic and haphazard. Those companies lacking a comprehensive response plan when time is of the essence not only increase the risk of losing confidential data, but also increase the cost associated with the breach by being held hostage to outside vendors. It is their lack of visibility and control of sensitive data and potentially harmful software running on computers within the network that create the biggest gap in strategy.

When considering the development of this last step, you should look for tools that offer a few key capabilities including:

  • Endpoint Situational Awareness (ESA): This is the ability to expose unknown running processes and data as well as locate unstructured sensitive data. This functionality comes in many formats and should be thoroughly evaluated prior to a true threat.
  • Security Event Response: Your strategy should include the ability to determine the source and scope of any computer event within your network and assist in determining if that event is coming from inside or outside the network and whether it is deliberate or inadvertent.
  • Automated Response: When an event occurs, time is never on your side. As tools become more robust, the need to integrate with an alerting system via API to instantly respond is vitally important.
  • Remediation: The real key to stopping events in their tracks after they have been located is the ability to remediate, or get rid of the malware or remove data from unauthorized locations. Remediation is accomplished either by securely collecting for further analysis and/or wiping the malicious data or running processes where they live. This functionality can also be used to further protect organizations by eradicating errant sensitive data from endpoints regardless of how it is being stored.

Conclusion

In 2010, when the president identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, he was not limiting it to the federal government. Organizations of all sizes and industries have an obligation to be educated about cybersecurity threats and work towards preventing and/or limiting the impact of those events in this evolving, dynamic environment. Inside counsel with a solid understanding of a complete approach to cybersecurity are well-placed to be some of the strongest defenders of their organizations.

Contributing Author

author image

Daniel Lim

Daniel Lim is Vice President and Deputy General Counsel of Guidance Software. He consults with corporate and government clients on e-discovery, privacy, and digital investigations....

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.