Breached? The Need for Speed in the Golden Hour
20 October 2017
- By Tony Rowan, Chief Security Consultant, SentinelOne
Just like a goalkeeper in a football match, it’s important for organisations to realise that they can’t stop everything that tries to bypass their cyber security defences.
As attackers become stealthier, even organisations with multiple layers of security can be victims of a cyber breach. What happens in the ‘golden hour’; the critical first hour after something does slip through the net from a technical and organisational perspective?
Immediate response during the golden hour
As recent breaches have shown, even the biggest companies with more significant budgets to invest in cyber security defences aren’t able to block everything that attempts to access their network. This, alongside the impending General Data Protection Regulation (GDPR) – which states that any breach must be reported within 72 hours – emphasises the need to have the proper mechanisms in place to detect a data breach as quickly as possible. This allows an organisation to react quickly and implement the correct procedures to mitigate the severity of the breach.
The first step is to contain the breach and to do this, security teams must isolate the device in question. Security teams must make sure all network connections are removed, with nothing coming in or coming out, to ensure the infection doesn’t propagate further into the network. After the device is completely quarantined, the next step is to identify how the organisation was breached and what with – ransomware for example.
READ MORE: Six ways of achieving endpoint security
These forensic investigations are essential in assessing the situation and understanding exactly what has happened. Security teams then have a clearer picture into which data has been handled, modified, deleted and, more importantly, stolen.
Handling a breach in the golden hour
Once you have the forensic insight and fully understand the context of the breach, it is then possible to begin tackling it from an organisational perspective. Security teams must assess the impact that the breach has had on the organisation – analyse what type of data has been affected and if the data contains personally identifiable information that could be used for identity theft or other criminal activity. If this is the case, then the breach should be treated as a more severe event. This is now more important than ever, especially in light of the new GDPR regulation that comes into force next year. Organisations can no longer just sweep the event under the carpet and hope that nobody finds out. After the May 25th deadline next year, there will be severe penalties for organisations that choose to do so.
Communicating the breach and its potential effects must also be a priority. Nowadays, many security breaches are broken by news outlets via various social media feeds so organisations must make sure it has a dedicated team in place for crisis communications and keep track of all customer interactions.
The next step is all down to the incident response and how an organisation then handles the data breach both internally and externally. A security incident that turns into a legitimate security breach can lead to devastating financial and reputational loss. Therefore, the relevant stakeholders and third-party’s affected must be notified as quickly as possible so they can respond in a timely manner and take the necessary steps to mitigate the impact. For example, this could include advice on changing passwords and being aware of potential, targeted phishing emails. It must be an organisation’s priority to then closely manage any communication about the security breach in an open and honest way to customers and beyond.
The speed of response is crucial in the ‘golden hour’. This does, however, need to be done in a way which doesn’t make the situation worse. For example, some sophisticated malware can identify when it has been detected and will go into a self-destruct mode, removing as much evidence of what it has done on a network.
We’re now in a world where it is a question of not ‘if’ but ‘when’ an organisation finds itself as a target for a cyber attack. With malware becoming more sophisticated and stealthy in how it works, it is up to organisations to have the proper mechanisms and solutions in place to best combat the threats posed. Investing in next-generation protection – based on machine learning, artificial intelligence and threat behaviour recognition – ensures that organisations can respond to breaches quickly and effectively so that they have the best chance of mitigating the propagation of malware. Knowing what has happened is essential too so a solution should include forensics capabilities and, of course, the tools to mitigate and remediate.