Monday, September 22, 2014

Breaching Bad and the Cost of Incident Response

Last month, we explored data breaches involving memory scraping - how payment card information can get into the hands of thieves by siphoning off unencrypted data directly from system memory of the POS system. Since then, several widely publicized breaches hit the news, and speculation is that they were all victims of this same type of memory scraping malware. Because of this, I’ve been issued a slew of new credit cards and have to go through the joy of having to check my credit reports weekly – and I know I’m not alone there. Thanks a lot!

But what if you, as the administrator, did the due diligence, changed your default credentials, implemented two factor authentication, enabled account lockout settings and you were still breached?  What happened?  The likely culprit is an Advanced Persistent Threat, or APT, that’s what.  APTs are a set of stealth, continuous hacking processes executed by a group or organization with a lot of patience.  They know what they’re targeting and they’ll take their time to do it right, and be nearly impossible to detect.  As the old saying goes, we as security professionals need to be right 100% of the time, the attacker only needs to be right once.

APTs demonstrate that the security landscape is changing quickly.  The approach of focusing efforts and security budgets strictly on a “defense first” strategy is no longer sustainable.  Determined attackers will keep coming and keep coming until they get what they’re looking for.  So what do you do?

Detection goes a long way in putting up that fortifiable barrier between you and the attack and empowering you with the security intelligence needed to take the next steps.  XYPRO tools like  Merged Audit and Compliance PRO help you achieve that level of security on the HP NonStop server.  XYPRO’s Top 10 list on NonStop Security Monitoring takes a deeper dive into the techniques and best practices for accomplishing this.

At the BlackHat USA conference in August, nearly all the sessions were focused on offense and attacks.  From hacking a hotel’s network to hacking mobile phones to USB devices- offense was the name of the game.  So it was quite a pleasant change of pace to hear famed cryptographer and security expert, Bruce Schneier, taking time to discuss something we aren’t always thinking about, likely because we’re hoping to never get there – Incident Response.

Incident response is something we all know we need to be prepared to do, but why is there so little effort put into it?  Take a look at the cyber security market.  We’re inundated with defense and detection products.  We spend billions of dollars per year to protect against attacks, but give little thought about what would happen if that expensive hardware with the flashy lights fails to do what we paid it to do.

Response products and budgets are not growing at anywhere near the same pace.  Schneier indicated this is because of the way people assume response works.  Defense and detection can be mostly accomplished with intelligent software and expensive hardware, whereas incident response is more people-centric and less automated.

A proper security program needs to consider both areas.  Defense and response need to work together to detect the breach, limit your exposure, protect you and your customers’ assets and protect your brand.  These seem like huge reasons to focus efforts on incident response, but we still see very slow and uncoordinated execution in response to a breach.

A report put out earlier this year by the Ponemon Institute outlined that half of the 674 IT and security professionals surveyed indicated that less than 10% of their security budget is dedicated to incident response and that budget has not increased in the past two years, even though the cost of data breaches keeps increasing.  The same report indicated that the average cost of a data breach to a company is $3.5 million (US) and that’s up 15% from last year.

In a world where cloud computing is becoming the norm, we have less control of our data and IT infrastructure than we ever have, which makes planning for incident response all the more necessary.  Attackers are becoming more sophisticated and organized, even being sponsored by nation-states.  Schneier indicated “We have to bring people, process and technology together in a way that hasn't been done before to protect and respond against these types of attacks.”

Focusing on incident response is just not a bridge to “cross if you get there” anymore, but pointing out data breach costs can help executives make the case that a strong security posture that includes a proper incident response can result in a financially stronger company.

Next month, we’ll take a deeper dive into how to prepare your incident response plan, not for “if it happens”, but unfortunately for “when it happens”.

Steve Tcherchian, CISSP
XYPRO Technology