Last week, we kicked off our 2014 webinar series with our first topic, “Security Incident Response Priorities: How to Prepare Your Firm Before a Breach Occurs,” featuring our own VP of Technology, Steve Schoener, along with eSentire’s Chief Technology Officer, Eldon Sprickerhoff. Topics discussed included common threat actors and potential security scenarios to be aware of as well as the importance of planning a response to such attacks.
A Quick Brief
In 2012, IBM reported that companies were attacked an average of two million times per week, and unfortunately, the statistics aren’t declining anytime soon. It’s no longer “what if” a security breach or cyber-attack occurs, but when and how it will occur. With targeted attacks that are bypassing existing security infrastructures, the topic of security has become even more important to all firms.
The most common security threat actor lately has been attacks from criminal organizations, most notably international occurrences. Criminal organizations are out for profit and the most difficult to track down, especially in international instances. There has been less impact from Nation States, but these are still threats to be cautious of, along with insiders and hacktivists.
The intent of each group is different with the attack that occurs. And no network is completely safe. The probability that one or more attack will occur within the year is very high. Knowing there is a high chance for such an attack, the only way to be ready is to have a plan in place.
There are three phases of Incident Response. The most important is the planning phase. Chances are your company will see some sort of attack this year, but the question is “when?” Here is a quick breakdown of these key phases on Incident Response.
Phase 1: Planning
To be prepared for a security breach or cyber-attack, you must first have a plan. A response plan should be completed in advance of any type of incident. Put together a team of internal staff (e.g. IT, Human Resources, Operations, Client Service, BCP) and external members (e.g. public relations, vendors, law enforcement) that may need to be contacted if the attack cannot be contained. By formulating a plan in advance, roles and responsibilities will be clearly defined and minimize the potential for fallout. Once the plan has been completed, it should be presented in writing and easy accessible during any attack.
Phase 2: Response
Perhaps the most critical phase is the actual Response phase (but keep in mind, the tone of this phase is set by whether your firm has a plan in place). The overall goal of the response is to keep the firm’s top priorities in mind:
Ensure safety of staff
Fulfill key fiduciary responsibilities
Resume business operations
Ensure financial losses will not exceed tolerances
Maintain forensic chain of custody
eSentire divides this phase into four components:
Detect – Initial assessment that acknowledges threat and notifies response team
Prep – A chance to give instructions to the response team if there is advanced warning. Generally, there is no time to prepare for an attack.
Deploy – Two-part plan for senior management to decide protocol before the stage has begun. Is it more important to capture the evidence or get the system running?
Collect & Protect
Recover & Remediate
Resolve – Execute plan of collecting evidence or recover (restore). Root cause analysis is critical to learn from the attack and how to defend in the future. Review and update plan and procedures.
Phase 3: Resolution
The phase allows the team to understand what occurred and devise a strategy to avoid a similar occurrence in the future. It’s critical to learn what factors may have caused the breach and, as a result, mitigate the risk of future events.
Categorized under: Security