Imagine you receive a call from your neighbor, a door to your house appears kicked in. You arrive home to find that certain items are out of place, things aren’t in disarray, however, someone unauthorized has broken in and you are unsure what damage has been performed. What or who were they after, what did they do, and when did this occur?
Perhaps your home has a security camera that records data, knowing what security controls exist, what information they contain on them, as well as the retention of that data can be crucial. What if you were on vacation, and the cameras overwrite data after 24 hours it, would be necessary to save or preserve this information before it is lost.
This is the same issue many businesses face after a cybersecurity incident.
Much like a business that identifies indicators of compromise, there are many lingering questions and a flurry of time sensitive activity that needs to follow in order to ensure the appropriate incident response actions are taken. Ultimately, answers to all these questions are typically entirely dependent upon how much historical information exists. An incident responder needs to quickly identify systems that may contain relevant information and preserve it before it is lost forever.
Without an understanding of your business, you may not have the crucial information to respond to an incident properly. It’s crucial to know what security controls exist, what type of evidence is generated within these, and how long this information is available for. The ability to identify incidents and review activity is reliant upon having the applicable data. You typically will need to have the information around what happened in order to protect your business from being attacked again as well as to understand what occurred. A lack of knowledge also makes it hard to recover what was lost.
In order to have the best success in protecting your data, and responding during an incident, you need to proactively make sure the necessary data is being captured and ideally monitored. Typical systems that contain crucial information include network devices such as firewalls, core switches, Authentication Servers/Domain Controllers, security tools, as well as key systems that contain business sensitive data.
Examples of sensitive systems/data: ACH transactions in a bank, code base for a tech company, or intellectual property for a manufacturing plant.
Knowing how to access this information is key when addressing security threats. Without a full understanding of the key systems and infrastructure of your company, you’ll have a hard time efficiently responding to incidents or may even make things worse when an incident occurs.
Here are a few things to ask yourself to make sure you understand your visibility if an incident were to occur:
- Who has access to our critical systems and data?
- Where are the audit logs for the above systems stored and for how long?
- What security layers protect these systems and is it being monitored appropriately?
Your staff should be able to answer these questions regarding your critical systems and data. The answers will help determine your risk level, and therefore determine many of your security protocol needs. If they can’t answer these questions, it’s time to reevaluate your incident response plan.
The best thing a business can do to prepare for a disaster is identify key systems and infrastructure within their enterprise. So, what does that look like? There are 3 major components every business should take into consideration:
1. Auditing Information - Ensure you have the correct types of information being logged. This needs to be done in two ways.
- Log data from the correct devices. A lack of logging from crucial systems will leave gaps in visibility that can be detrimental during incident response efforts as well as active security monitoring.
- Ensure you have logging enabled for the necessary data. As an example, ensure your logging critical information such as successful and failed events as well as activity such as changes. Logs from a firewall aren’t helpful if you are only auditing denied traffic.
2. Monitor Data - Look out for intrusions or security events, it’s necessary to take a pro-active approach and actively perform threat hunting exercises and security monitoring. Be aware of alerts that may be going off when a security breach occurs. You may also choose to hire an outside firm, like Pratum, to monitor your systems in real-time with SIEM services.
3. Retention Settings – Make sure your data is being stored for an adequate amount of time. If an incident happens, but the retention settings don’t go back far enough, you won’t have access to the data you need. This length of retention depends on the level of your company’s security risk. The higher the risk, the longer you should be storing data.
How is your monitoring posture? If you need to go back and review data, or the events surrounding an incident, will you have that information readily available? If your system is designed to only hold data for a short amount of time, you may not be able to get the information you need if a security threat is found.
Going back to the burglary analogy; if you have security cameras that stores footage for 24 hours you will need to immediately seek to preserve that evidence before it is overwritten. The risk if this data not being available significantly increases if you go on vacation frequently. Businesses that take the time to evaluate the effectiveness of their security controls, appropriately measure their risk, and perform incident response preparedness exercises will be better equipped to respond quickly and efficiently during an incident.
How often you monitor your data should match the risk level. When a company has valuable information, like belongings in the home, it needs to be protected and monitored. The level of security should equal the value of the assets. If your data is highly important or sensitive, the level of risk is higher. That information needs more layers of protection.
Evaluating what went wrong during a security incident can be much more difficult if you don’t have all the necessary information. Without any evidence, timeline, or a suspect, it’s hard to solve a theft case. It’s equally hard to solve a cyber-attack.
That’s why it’s so important to prepare ahead of time by understanding your business. Knowing what security measures are in place, how often they’re monitored, and who’s in charge if something goes wrong, can all make a world of difference when it comes to recuperating and responding to an attack.
If you need help evaluating your security posture and coming up with an incident response plan, Pratum offers services to fit your needs and budget.