With the ever-present threat of data breaches, organizations need to adopt best practices to help prevent breaches and to respond to them when they occur to limit any damage. And breaches will occur – because bad guys make a living by figuring out ways to circumvent security best practices.
Here are some data breach prevention and response practices that have stood the test of time, followed by a reference list of some vendor resources that can help you improve your own cybersecurity and incident response capabilities.
Jump ahead to:
- Prioritize Data Protection
- Document Your Response Process
- Make Users Part of the Process
- Understand Business Context
- Be Thorough
- Proactively Collect and Organize Data
- Don’t Forget Network Analysis
- Train and Drill
- Enlist Outside Help
- Go on the Offensive
1. Prioritize Data Protection
The downfall of many security strategies is that they become too general and too thinly spread. Prioritizing your business’s most important assets can make your security strategy more effective, helping prevent breaches of your critical systems.
This doesn’t automatically mean that you don’t safeguard some systems. But it does help you determine which datasets, storage systems, and applications are most important and most vulnerable. For example, a manufacturing company will likely have:
- Bills of material for tracking all product parts
- Software that overviews transportation of goods (ie, overseeing truck travel and driver logs)
- Customer relationship management (CRM) software for managing relationships with all customers, sometimes including individuals’ personally identifiable information
Is all of this data important? Yes. But it requires different levels of security. The organization might choose to first prioritize protecting the data in their CRM because of its sensitive nature. Then they might prioritize the BOM documents after that, because while it doesn’t endanger anyone’s PII, it could be stolen by a competitor and result in financial loss. Finally, the transportation management data is still important to protect, but perhaps not as financially or legally critical as the others.
An important data protection concept for all organizations is zero trust: by limiting access and privileged accounts and walling off your most critical assets with tools like microsegmentation, a network incursion doesn’t have to become a headline-making data breach. Cyber attacks happen to almost all organizations; limiting their damage is critically important.
Also read: Network Protection: How to Secure a Network
2. Document Your Response Process
Even if you have the best possible breach prevention strategy, a data breach may still occur. When that happens, your security team will have to pivot to incident response. Best practices in incident response demand that you create a documented process and follow it. Stress levels rise during attacks, and you’re likely to be pulled in many directions, leading to omitting some key actions. Organizations like SANS offer free incident response checklists for businesses to begin tracking their incident procedures.
Make sure you document:
- Which steps happen in a specific order. For example, a security admin might send a message to all team members and then perform a system scan.
- Which individuals are responsible for which steps. In this example, the security admin is responsible for alerting his team.
- What your team did well and did wrong after the incident has been resolved. This can also help your organization develop a more detailed incident response plan for the future.
Read more in our ultimate guide to incident response.
3. Make Users Part of the Process
An often forgotten aspect of breach prevention is keeping end users informed. Your company stakeholders — especially the employees — should know the strategies your security team is using to prevent data breaches, and they should know simple ways they can help, like password protection and not clicking on malicious links or files or falling for phishing attacks.
Additionally, if a breach does affect customer data, they should be informed immediately. Not only does that build trust between you and your customers, but it may also be a legal expectation. Some data protection regulations, including HIPAA and CCPA, require organizations to inform customers when their personal information has been compromised.
See the Top Cybersecurity Employee Training Programs
4. Understand Business Context
You may be required to take systems and applications offline for analysis during an investigation. When investigating a system for potential compromise, it’s critical to know where confidential data is stored or passing through the system and to consider the business impact; this will also help you understand the data and applications you need to protect.
Another good practice is to determine a recovery point objective (RPO) and a recovery time objective (RTO):
- A recovery point objective is the amount of data that can be lost before standard financial or operational processes are significantly damaged.
- A recovery time objective is the length of time an application can be down before standard operational processes are significantly damaged.
“Significant damage” is a broad term, and your individual business will have to define it. Of course, any damage isn’t ideal, but at what point would the business be in trouble? This varies between organizations. RTO and RPO will also differ between applications and storage systems, so you may have many objectives. A CRM at a large financial services company might have an RTO of 15 minutes, while a storage archive for cold data may have an RTO of 12-24 hours.
5. Be Thorough
It is all too easy in an attack to find the apparent source of malware, eradicate it and leave it at that. But you may miss further traces of it on other systems. Some sophisticated viruses and hackers move laterally once they enter networks and compromise multiple systems in an extended attack. Use threat intelligence tools and behavioral analytics to examine all your business systems for anomalous behavior and indicators of compromise (IoCs).
Forensics tools are also helpful. They perform advanced searches for data and use hashes to preserve evidence of potential breaches. When your systems have been breached by malware or another threat, using sophisticated security tools to find any lingering code or files is important. Collecting this data might prevent a later breach in other systems. Unfortunately, malware is now too advanced and moves too quickly for security teams to assume that they’ve deleted it in one fell swoop.
6. Proactively Collect and Organize Data
Because enterprise data volumes are so significant, there’s no convenient time to have unorganized data. Eventually, you will have to go hunting for it, at an inconvenient time, and data may get lost if it’s not properly tagged or otherwise categorized.
Additionally, your storage and security teams should collect data throughout the course of your business year. Store log files from security feeds, and collect behavioral data from any UEBA solutions over time.
To organize your data, choose a solution for unstructured volumes that also supports proper metadata or tagging procedures. Data lakes must be maintained so they don’t become data swamps, a term for a large-scale storage system that is so unorganized it’s difficult to locate data. Unorganized storage systems may also lead to slower queries, where the computer is so busy searching for the data that it takes more time to retrieve. This will be untenable for some high-performance security applications. It’s important to keep data clean and organized in storage, and especially important for the security tools on the front lines.
7. Don’t Forget Network Traffic Analysis
Packet analysis certainly provides the greatest visibility into network traffic. However, the number of packet capture probes required to cover all potential targets and locations can make it cumbersome and costly. Enter flow technologies such as NetFlow, which deliver performance metrics while providing over 90 percent of the visibility available from packet analysis. NetFlow collection systems manage packet data so security teams can study it as needed, determining where a breach is most likely to happen.
Network traffic analysis provides a useful baseline for security teams as they observe both immediate anomalies and long-term trends. While expensive, it presents a broad view of network operations and helps teams identify potential threats over a period of time. Your individual business will have to decide how to implement NTA in a cost-effective way.
8. Train and Drill
Prevention of initial breaches isn’t always successful, which makes training for incidents critical. Nobody finds out that they are good at incident response or management during an ongoing incident. Incident responders and managers alike need training before the event. After training, they should conduct periodic drills in their own environments.
An incident response training session should include:
- Multiple examples of what incidents look like
- Interactive conversations about appropriate ways to respond
- Sharing results from any penetration tests that have been conducted
An incident response drill should include:
- Practicing mitigation steps in order
- Debriefing afterwards to discuss what went well and what went wrong
9. Enlist Outside Help
Do you have the internal resources to deal with attacks on mobile platforms, embedded systems, or Internet of Things devices? If not, it may be time to augment your internal skillset with some outside help.
Third-party security solutions support organizations with few or inexperienced personnel. Or enterprises may simply outsource one component of their cyber infrastructure because they’re focused on too many things at once. A security infrastructure that’s spread too thin is more susceptible to a breach.
Examples of managed security services include:
10. Go on the Offensive
It’s no longer enough for enterprises to react to cyberattacks. Criminals are both experienced and proactive, and security teams must be the same to more successfully prevent breaches. Taking an offensive approach to security includes:
- Researching known vulnerabilities
- Running team drills
- Updating team members when a new threat is on the business’s landscape
- Hunting for anomalies or strange user behavior
Experienced threat hunters might also consider exploring the Dark Web for an inside glimpse of existing threats. The more aware your team is of popular attack methods and strains of ransomware, the more you can prepare.
Bottom Line: Effective Data Breach Prevention
Effective data breach prevention and response are possible – but only if you have the tools and plan in place to stop or minimize cyber attacks. Know your business, your most important data, the kinds of attacks you might face, and practice the steps you need to limit any network incursions that might turn into big data breaches. A few key defenses and preparation could save your organization from big data breach disasters.
See the Best Incident Response Tools and Software
This updates a March 2015 article by Drew Robb