In this post-Target era of "It's not a matter of if, but when," how prepared is your organization for a data breach? Michael Buratowski of General Dynamics Fidelis Cybersecurity Solutions offers tips for breach planning and response.
The good news is: Many organizations do have breach response plans in place today, Buratowski says. But have they tested these plans appropriately? Different matter entirely.
"It's one thing to have a plan written down," he says. "But where the real value comes in is having actually practiced and gone through those plans as a tabletop exercise ... so that everyone starts committing those plans to muscle memory."
In an interview about breach preparedness, Buratowski discusses:
- Today's average level of breach preparedness;
- Proactive breach planning steps;
- When and how to involve key third parties.
As Vice President of Cybersecurity Services, Buratowski is responsible for managing the Network Defense and Forensics business area at General Dynamics Fidelis Cybersecurity Solutions, including the Digital Forensics Lab. Prior to joining General Dynamics Fidelis, he was the Business Area Director for the Cyber Operations Solutions business and program manager for the US-CERT contract in the Cyber Division of General Dynamics Advanced Information Systems. He served in various operational roles at General Dynamics, including nearly 10 years on the Defense Computer Forensics Laboratory contract as an examiner in the Major Crimes & Safety section, a network intrusion examiner in the Intrusions & Information Assurance section, and the section chief of the Imaging & Extraction section.
TOM FIELD: What's the general level of breach preparedness that you see in organizations you come in contact with?
MICHAEL BURATOWSKI: I'd tell you there is a wide variety, but it's absolutely getting better. A lot of companies now have plans in place, and they're using technologies much more efficiently. But what we find is that sometimes their plans aren't as thorough as they should be, or there's stuff that they just didn't consider when they were putting the plan together.
Falling Down on the Job
FIELD: Where would you say organizations typically fall down when it comes to breach preparedness?
BURATOWSKI: It's one thing to be able to have a plan written down. So you've got a book you can go refer to, but the real value comes in having actually practiced and run through those plans at a tabletop exercise, so that everybody starts committing those plans to muscle memory. Just like a professional team, they go out there and practice things over and over again. Their particular responsibilities become muscle memory. Well, you want to have that happen with your incident response plan as well.
The next thing is, a lot of companies underestimate the overall cost of having to respond to a breach, and the remediation of that breach. Where companies mostly fall down is identifying the breach early. Anything you can do to discover the breach early and react to it [means] you've put in cost savings right off the bat, because there's less clean-up. There is less damage to a company's clientele, and potentially less damage to their reputation that they need to repair as well.
FIELD: What are some key proactive steps that organizations should incorporate in their plans?
BURATOWSKI: Having an independent party provide an assessment of their security posture, whether that be their infrastructure or policies, is really important. Oftentimes we can become tunnel vision in our own work. Just like when you're editing a document, you become so tunnel vision that you may miss some of the mistakes that are in there. Having an independent party come in and take a look and provide feedback on ways to improve is a huge value.
Also, it's really important to test against social and engineering attacks. At the end of the day, the weakest link in the chain is us. We have the ability, or sometimes inability, to recognize that we're under attack. It's not through any fault of our own necessarily. Some of these attacks are unbelievably well-crafted, and it's hard to tell that it's not from a trusted source. Being able to test that and make sure people's awareness is high is important. Then, have the appropriate policies and procedures in place; but more importantly, follow them. You can have all the policy in the world, but if people aren't following them then your security posture is not there. It's at a much lower state.
Involving External Parties
FIELD: How much do they involve key external parties in the event of a breach?
BURATOWSKI: Well in today's world, I find more and more that companies have cyber insurance, which is great. It's really important to have a provider who works with you. [It's important to know] who they are and who to call if something happens, and also what your policy is going to cover. Underestimating the overall cost of a breach happens all the time; making sure you have that stuff worked out ahead of time with your cyber insurance policy is important.
Having outside counsel who deal with cyber breaches and data privacy on a regular basis is so important. They bring an additional level of competency and knowledge because they do it all the time. They have the ability to make it so that the attorney-client privilege is maintained, and are able to navigate those challenges if a breach were ever to be brought to trial as far as a civil litigation.
Another aspect is having a public relations firm. We've seen how so important it is to have a PR company that can help you message to the clientele. People have become much more understanding that breaches happen; at the end of the day they're going to continue to happen. But where they're really not forgiving is if they get the feeling that a company is being evasive or not forthcoming.
Finally, having an IR firm under retainer [is important]. Time is of the essence when you figure out that you've been breached. And oftentimes companies don't have the internal capability to appropriately respond to an attack or an incident response. But more importantly, having an IR firm that does it every day is going to reduce cost and make it so you can recover quicker.
Determining the Scope of Attack
FIELD: What are some of the measures that organizations must take if they're going to determine the true scope of the attack and not be misled by what they initially see?
BURATOWSKI: There's a couple different philosophies with incident response. There's the whack-a-mole game, where you try and find the particular hosting chains that were breached, and wind up moving and paving them just so you can get back into business. However, you really wind up missing so much information about how the bad guy got in. The way we approach breaches are, we ensure that we have full network visibility and monitoring, both on the network and host level. What we found is, by having that security operations center, you're able to see what the bad guy is doing, what's going on, and be able to adjust your expulsion event and remediation accordingly.
So you have a surgeon who's responsible for actually conducting the surgery, and they do a great job at that. But at the head of the table you've got the anesthesiologist who's maintaining all the vitals that are supporting the patient. That's kind of what the security operations center does. They maintain and see what's going on [inside] the network and everything else while the investigation is going on. At the end of the day, you wind up getting exceptional intelligence, and [learn] where you need to improve your security.
Testing Your Plan
FIELD: In terms of testing the breach preparation plan, what are some of the key dos and don'ts?
BURATOWSKI: Testing the plan has to happen on a regular basis. If you're not doing it at least a couple of times a year, you really can't get things committed to muscle memory. Make sure everybody who's involved in your incident response plan is actually there and participates in it. Having a couple of people missing, you miss out on figuring out how everybody's going to communicate and react during a situation.
Making sure that you try to make the scenario as realistic as possible and take it through to the end. It's a relatively low investment to take the time and talk through a scenario and figure out what's going to happen. If you don't do that, you don't make that investment up front. You wind up extending how long an incident response is going to take, and you make it more stressful than it really needs to be. You're trying to make things go quickly, efficiently, and recover as quickly as possible.