One sad fact about security is that no matter what controls you put in place, you will suffer breaches and if you are on the internet it is likely to happen sooner rather than later.
People sometimes hold to a “physical world” security model which has a clearly defined threat actor (e.g. a burglar) casing properties in their target area for an eventual break in. if you are unlucky enough to leave a door open on the night they are casing you, you get robbed.
This is a good way of thinking but it is crucial to remember that on the internet, the burglars are worldwide and they are running automated tools which are constantly casing your property to see if there is something they can exploit. This means any momentary lapse (such as not applying a software patch, or changing a configuration setting) can be found by attackers and exploited faster than most people realise. The lesson is simple: Breaches can, and will, happen at any time of the day or night, while you are working, sleeping or on holiday.
This is not saying your security controls are useless – far from it. Without them, the breaches will be more frequent, more damaging and harder to recover from. You do however, have to avoid the mindset that security is putting in place controls and then saying “job done.”
If breaches are inevitable, why do I need controls?
Let’s clear this up first. You need your security controls. You really do.
Security is best delivered by applying layers of controls and constantly striving to maintain and improve them. Good security controls help you with:
- Making you a hard enough target that lots of attackers, especially script kiddies, will simply go elsewhere.
- Delaying attackers enough that your detection systems will be alerted to their presence.
- Collecting enough data to allow you to investigate breaches.
- Being adaptive enough to respond to attacks in real time.
If you come from a physical security background, this might be familiar as all security controls have the same basic requirements.
So, breaches happen, what do I need to do?
First off, if you are reading this as a breach happens, it is too late. Sorry. Incident response is all down to planning. If you don’t plan properly, any successful incident response activity is pretty much down to random chance. Secondly, if you handle regulated data such as personal data/PII, credit card data etc., then you need to make sure your plans are acceptable. The advice here is generic and high level.
So, to answer the question:
- You need to plan, plan and plan some more. Your plans need to include who is responsible for doing what. Your plans need to cover everything from minor incidents to breaches which put your very companies existence at risk.
- Test your plans. This is crucial. Make sure everyone involved knows what they need to do. Make sure the communications channels you have work. Make sure it all works at any time of the night or day. Make sure it works when your key decision makers are unavailable. Then test it all again. And again.
- Provide resources for incident response. This isn’t free. If you are a small business with limited internet facing systems you might just be able to get away with an ad-hoc incident response team, but don’t assume a good sysadmin or a good networks person makes a good incident responder. Also remember breaches are stressful. Your incident responders will burn out if you ask them to do too much.
- Learn from your mistakes. Just as breaches are inevitable, so are incident response mistakes. You need to be mature enough to analyse your behaviours and learn from what went wrong. Your attackers are constantly improving, you need to do the same.
In practical terms
As part of your plans, you need to be aware of the six high-level steps of incident response (see image), and your processes need to cover each step.
You need to make sure that you have an incident response team who have the right skills and knowledge to do the job. You also need to make sure you resource the team well enough that they aren’t trying to juggle a day job as well as respond to incidents and you have some way to rotate people.
There are no hard and fast rules on how much of your security budget should go on incident response – it really depends on your individual circumstances – but two things are always true. You need a security budget and some of it must be spent on incident response. Don’t fool yourself into thinking anything else is financially sensible or a long term option.
Make sure your incident response team either have the authority to act or the ability to seek this authority at very, very short notice any time of the day or night. The last thing you want is the complete loss of your network because the incident responders didn’t have the authority to pull the plug on an infected machine and couldn’t find the person to who did.
All of this goes a long way to making sure your organisation is resilient enough that an incident can’t kill you. At the end of the day, that is what really matters.