Skip to content

More Thoughts on “After the Breach”

October 29, 2009

A couple of days ago, the folks at McAfee put up a very good blog post really delving into the specifics of what to do when you find a data breach. To be clear, there are few days for a security professional that are more important than QUICKLY identifying the root cause of the breach, fixing what can be fixed, and taking down what can’t. Remember, it’s about containing the damage and living to fight another day.

But let’s level set up front. Breaches happen TO EVERYONE. If you have been doing security for any length of time, your networks/systems will be compromised. That’s the nature of the beast. That’s why in my book on building a security program, “The Pragmatic CSO” I advocated a process to define incident response and stressed the importance of documenting and practicing that process.

Interestingly enough, the McAfee post highlights some things about investigation and recovery that are not as commonly known as they should be. First that the attackers are usually long gone before you discover the issue. That does happen sometime, but for those that implement a philosophy of “react faster,” and monitor their key systems (which you need to do for PCI compliance anyway), the hope is that you do catch the bad guys “in the act.”

Secondly, you CAN’T TRUST logs. That’s right, log management is something that eIQ does and I’m still here saying you can’t trust the logs entirely. Why? Because a savvy attacker is going to shut down logging. Or they are going to tamper with system logs. Only by externalizing the log files and supplementing with additional data types can the logs truly become useful. That’s right – log data is not enough.

To be clear, when you are investigating a breach and trying to contain the damage – more data is better than less data. I’m not saying at all that logs aren’t important. I’m saying that you need as much corroborating evidence as you can gather. Anything to validate the attack vectors and more accurately piece together what happened.

The McAfee post goes on to highlight the steps of an incident response plan (identify the breach, contain the damage, make sure it doesn’t happen again) and those recommendations are good. I’d also highlight the need to do an incident post-mortem, document the findings and make sure the situation is discussed at all levels of the organization. Breaches happen, there is no shame in that. But not learning from each successful attack and improving your organization’s ability to defend itself is the real sin.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: