Industry Analysts, Inc.

The Place for AV, Print & ECM News

Videos
Tweet
Share
Share

Posted on June 03, 2014 by David Levine on mds.ricoh.com GUEST BLOGGER

There. I’ve said it. Given all the headlines, is it really surprising? Facebook, Google, LinkedIn, Twitter, Adobe, Target, Sony, even security companies RSA and Symantec, the list goes on and on. They have all acknowledged their networks have been breached and personally identifiable information compromised.

In my role as VP, Information Security & CISO, Ricoh Americas Corporation I participate in a number of security conferences and organizations such as Forrester’s Security & Risk Council and Infraguard.  At one of these events recently I was struck by a comment made by a federal law enforcement official accurately describing the security “State of the Union” today: “There are two types of companies today. Those who have been breached and know it. And those who just don’t know it yet.”

If you accept this as the new reality, then the questions you need to be asking are:

  • What is it are you trying to measure? What are the real threats?
  • How to you optimize your incident response? Specifically, how do you decrease the dwell time between detection and mitigation?

[Tweet “The sheer volume of attacks & alerts on enterprises today is sobering http://bit.ly/1kCusLK @aslawetsky #ricoh #digitalsecurity”]

The sheer volume of attacks and alerts on enterprises today is sobering, and there is a lot of “noise” in the system. And unfortunately, our ability to discover in a timely fashion, let alone respond effectively to cyber-attacks, is not improving. And given the speed with which threat actors can exfiltrate data this is a sobering trend1

Percent of breaches where time to compromise (red) / time to discovery (blue) was days or less

In order to identify the highest risk attacks you need to prioritize your alerts. This is particularly important when you implement a new technology or start collecting new security logs. In these cases your infrastructure/network will “light up like a Christmas tree” with new information. You need to know what to do with these alerts.

Some of this takes experience. You need to tune your system, establish baselines and metrics that allow you to measure and track what normal behavior is. It is only then that you can flag abnormal.

The reality today is that some things are near impossible to detect even with state of the art tools and alerting.  Therefore, regardless of the time it takes to detect a breach or issue, you need to get your incident response team and procedures in place so that you can deal with an event quickly and effectively.

I believe achieving rapid and effective incident response is based on identifying the right people across – and outside – the organization before a major event.

When a new type of breach or malware penetrates your system it may touch departments you have not dealt with before, or multiple departments. Who do you call? What are the best escalation paths within the organization so you can communicate quickly, effectively and make decisions?

You need to know NOW who you call in Operations, Marketing, and Sales on up to the C-suite. This may be in regional offices, datacenters, half-way around the globe, and increasingly you need to coordinate attack analysis and incident response with your supply chain and partners. Many of the most damaging attacks in the last few years have occurred via connections to business partners’ systems.

The good news is, there are tools and services available that can help you gain faster, more comprehensive visibility on your network traffic and infrastructure.  Equally important, there are steps you can take now to improve your incident response. Better define and focus on the metrics that matter to your organization. And before you discover the next breach, establish clear lines of communication and escalation. Partnering with a managed security services (MSS) company such as Dell SecureWorks as we do, can also be an extremely effective way to handle and tune alerts, help establish, test and or be part of your incident response plan.

Quick identification, reaction to and mitigation of a breach is the name of the game in today’s environment.

1 Verizon 2014 Data Breach Investigations Report, page 12.

Tweet
Share
Share

Related News