If someone with the proper motive and means (time, money, and resources) wants what you have badly enough, they are going to get it. Many companies fail to prepare for a breach until it's too late. Unfortunately, there is not a true, tested method for preventing and/or stopping a breach. How does one survive the inevitable?
The three survival points that I touch on briefly (but by no means should be considered a comprehensive list) will help:
First, you had better know your data, know how your data flows in and out of your organization, where data is stored when not in use, and who has potential access to it. Remember that there are different types of data driven by the business you are in, and understanding the sensitivity of that data is critical. Due to the nature of technology and expansiveness of data through your network, trying to protect all of your data at the same security level is futile. You must be able to identify and separate the nonsensitive data from the sensitive.
Second, manage access to critical data on a "need-to-know-only" basis. Monitor and log every person and/or system that touches (or attempts to touch) sensitive data. Implementing a security information and event monitoring program within your organization is a must. Log, log, log--log as much data as your budget allows. If you cannot afford this step, then you will have a difficult time explaining a breach to the data's owner. If you cannot substantiate how the breach happened with logs, how are you going to defend against a compromise? You can't!
This is the operationally expensive part of surviving a breach; a necessary cost of doing business in today's globally interconnected business world.
Third, know who the bad guys are, what they're looking for, where they're coming from, and how they're getting to your data. This information is not easily obtained, but is becoming more readily available, if you know where to look. You need to act like a company that has already been breached and proactively work with law enforcement, commercial incident response teams, security researchers, industry specific information sharing and analysis centers, listservs, etc. If you are not working with the aforementioned entities, don't be surprised when bad things happen to your data! Knowing who wants your data and how they are most likely going to get it is necessary if you want to have a fighting chance of surviving a breach.
Now, let's take a step back for a minute for a little philosophical discussion. Not all breaches require a disclosure; however, the key is knowing if the breach has resulted in a compromise. Is a virus a breach? How about a phishing attack? Do you know if targeted individuals actually clicked on a link or opened e-mail attachment(s)? Certainly, these are breaches, but if they do not result in unauthorized access to sensitive data, who really cares, other than you? Conversely, if you can't tell -- or don't know -- if any type of unauthorized access took place, even a seemingly simple virus could have resulted in a compromise, and you are none the wiser.
The way to survive a breach is to have a comprehensive program that actively incorporates the three points outlined above. Not knowing what or where sensitive data is, you:
- are going to have an extremely difficult time protecting it; the larger the organization, the exponentially harder this becomes.
- won't be able to effectively monitor and log activity; without detailed logs, how are you going to defend the question of data compromise?
- won't have early warning indicators of a breach or the ability to stop attackers in the early stages of the breach, which limits the effect of a potential compromise.
You need to know the threats specific to your industry, your company, and ultimately, your data, so your organization can begin to close and/or secure known attack vectors, filter known addresses, and make the bad guy's job just a little more difficult than the next company.
Intrusions are inevitable, especially if you have "data of interest." It is up to you to make sure that the breach does not result in a complete compromise, and you cannot do that without knowing your data inside and out. Please know that a breach does not have to be synonymous with a compromise, and you alone are the one that will determine the end result; therein lies the ability to survive a breach. Surviving a compromise is a whole different story!