Breaches may be unavoidable, but mishandled breaches are not. Here’s a look at where things went wrong in some recent high-profile attacks, and how things could have been different.
Any breach is a bad breach, but some breaches are worse. The difference? It’s often determined in the earliest moments of the attack. In these first key minutes (often counted in hours, days and weeks) , the crucial actions (or inactions) of the SOC or IR team determine not only the actual extent of the damage, but the ultimate perception of the event itself.
Everyone agrees that time is a crucial factor in mitigating the damage from breaches. Yet over 25% of data breaches in 2016 were discovered only after more than month had passed, and some 10% took over a year.
To foresee breach situations and speed up responses, companies create detailed Incident Response (IR) plans. Yet we all know that things almost never go according to plan, and breaches are no different. Thus, any good IR plan needs to be backed up with technology that enables a flexible response to the evolving attack landscape.
Without this flexibility, you might end up like:
- InterContinental Hotels – As far back as December 2016, fraud experts picked up alerts suggesting a massive credit card breach. In February of 2017, the company acknowledged a breach that involved just several dozen properties. In April 2017, the company finally confirmed that over a 1000 of its 5000 properties had been compromised.
- GameStop – Online gaming retailer GameStop was breached sometime between August 2016 and February 2017. Yet the company only acknowledged the breach in April 2017, and customers were notified only this month.
- Brooks Brothers – Last month, the company reported that a 2016 breach at the clothing retailer affected over 200 branches, included exposure of customer credit cards, and took over a year to get under control.
- Neiman Marcus – This April, the retailer announced that a 2015 breach was just recently discovered to have been far more extensive than previously thought.
- Sports Direct - The UK's largest sports retailer detected an intrusion in September 2016, but didn’t identify a data breach until December. Employees reportedly weren’t notified until at least February of this year.
The Common Denominator
So, what’s the glaring common denominator between these companies’ response to attacks?
First, the assumption is that these companies were all acting in good faith. I’m not implying that anyone was trying to whitewash attacks that exposed customer PII.
Yet behind the scenes, the fact is that it took their forensic security teams months (and over a year in one case) to pinpoint the damage. This can only mean that they had analysts sorting through old alerts to trace the course and progress of the attack.
The implication, of course, is that there were alerts about the attacks. And here’s the crux. Because if security experts can trace the attack retroactively – with the right tech they could have caught it in near real-time.
Technology to the Rescue
The ever-expanding toolbox of organizational security solutions generates more and more alerts. This is a fact that SOCs and IR teams face daily. Triaging these alerts and weeding out false positives – these are the likely roots of the long response times in the above examples.
Today there is technology that can lower the incredible burden on IR teams, and lower breach time-to-response from months to minutes. For example, Secdo’s technology provides security and IT teams with endpoint visibility and the automatic investigation that shorten response time to minutes, allowing teams to understand exactly the root cause and damage assessment of attacks and contain them in real time before they cause any further damage.
Want to learn more about how Secdo can eliminate your Bad Breach Days? Click here to schedule a free demo.