Improving Breach Investigations Step One: Know Where the Critical Data is Stored

Most data breaches could be prevented, if organizations did more to keep an eye on their databases, says Chris Novak, a member of Verizon's investigative response team.

According to Verizon's 2012 Data Breach Investigations Report, most organizations don't know how to look for breaches because they don't really know how to monitor their data.

"They generally know what data they have, but they don't necessarily know where they have it and how it's being handled," Novak says in an interview with Information Security Media Group's Tracy Kitten (transcript below).

Without a basic inventory or data flow map, companies will continue to be challenged with how they secure data and respond to breaches.

To improve breach investigations, organizations need to:

  • Enhance Collaboration: "Nobody knows you better than you know yourself," Novak says. When an outside investigator comes in to assist after a breach, organizations need to communicate and explain how they operate.

    "Then we can use the experience that we have, the investigative tools and methodology, to dig into what might have occurred and help them figure it out."

  • Assess Capabilities: Knowing what an organization can and can't do is critical. Novak recommends organizations develop incident classification matrixes, "something that says these are the different types of scenarios that we could anticipate having." Based on the different levels or severity of the anticipated breach, an organization may decide it's better to handle the investigation in-house or being in an outside forensics team.
  • Consult with General Counsel: Especially in highly regulated industries, organizations need to speak with their internal general counsels, especially those legal experts who specialize in data privacy, legislation and notification. If they don't have anyone internal, then they should seek outside advice.

    "Understanding what all [the regulations] mean and how to interpret them is very critical," he says.

  • Preserve the Information: This includes log, data and event details, Novak says. "A lot of organizations struggle with preserving that data and preserving the systems," he says. But preservation of information will help an organization determine whether it should lean toward prosecution after a hack or not.

During this interview, Novak discusses:

  • How breach response plans can be the difference between catastrophe and triumph;
  • Why it's critical for all organizations to understand varying state and international breach notification laws, regulations and guidelines;
  • The special challenges global organizations face in breach prevention and response planning.

Novak works in Verizon's investigative response unit.

Today's Breach Environment

TRACY KITTEN: Data breaches are posing increasing challenges for organizations that fall across a number of industries, as well as sectors. In fact, according to Verizon's newest Data Breach Investigations Report, 2011 saw 850 breaches across 174 million stolen records, the second highest data loss that the Verizon risk team has seen since it began collecting data in 2004. Can you give us a quick background about today's current environment and why numerous industries are seeing upticks in breaches?

CHRIS NOVAK: As you mentioned, we've seen a dramatic uptick over the last year, not just in the number of breach investigations, but also in the number of compromised records. I think the breadth of what we're seeing across all these industries is also the result of a new role that hacktivism is playing in the cyber realm, if you will. We've all heard of hacktivism in the past, but it's never been quite as pronounced as the data is really showing us from this year's report. It tells us that it's not all about the money like it used to be. We're always going to see your typical financial situations, your smash and grabs, but to give you an idea, 58 percent of the 174 million compromised records that you mentioned were actually the result of hacktivism, which I think will surprise a lot of folks. They hear about it in a lot of different things throughout the media and the role that hacktivism has played in social and political environments, but when you start to see the way that it impacted from a data breach, data privacy, perspective, I think that's quite substantial.

When the motivation moves away from being purely financial, that can really broaden the scope of potential future victims. A lot of organizations tend to look at themselves internally and say, "Well, why would someone come after me? I either do or don't have a certain type of data that they may want." But now when you get in the mind of the hacktivist, you say, "In many cases it's not that I want to get something from that organization or from that person that traditionally I would go out and try to sell for money. I want to damage a reputation or a brand, or I want to cause them harm, but not necessarily looking for direct financial gain myself." That change in motivation causes a lot of struggle for organizations to figure out where they may fall in that potential victim arena.

Data Management Issues

KITTEN: That's a good point and cybersecurity across the board is a growing concern. When it comes to breaches, most of the breaches can be traced back to some sort of cyber attack, hack or maybe even an internal system hiccup or oversight. Why have organizations not been able to keep up with today's complex data management environment?

NOVAK: I think one of the biggest things that we note during our investigations is that many organizations really just struggle with understanding the big-picture data problem. They generally know what data they have, but they don't necessarily know where they have it and how it's being handled. Without something as basic as an inventory, a data flow map, retention guidelines, you're always going to be challenged with how you're going to secure that underlining data, and I think everybody realizes it's all about the data.

If you don't really have a good handle on that, you're really going to be in an awkward position of, "Well, if I were to just contemplate what a breach might look like, I really can't get a good feeling for what that picture is. If I were to actually be in the midst of a breach, do I even know where to look?" A lot of times we get involved with investigations and organizations will tell us right from the get go, "We believe 'x' data is at risk because we've seen this on the Internet or someone has told us they have heard of something." So then the next question we'll ask is, "Where did this data live in your environment?" And you kind of see this blank stare on a lot of people's faces in the room, kind of, "I think it's on this server or I think it's located in that data center." But this data could be in a number of different places throughout the country or throughout the world. That creates a huge problem with just trying to track down where the potential breach or leakage may be. Again, it really kind of comes down to a lot of organizations just don't understand where their data is and what they're doing with it.

Breach Response

KITTEN: What about the response after a breach? How well are most industries and organizations doing when it comes to breach response? I guess I'm getting at the fact that we don't really have any uniform laws in place to outline strategic steps that organizations must take and so most organizations have developed their own policies and procedures.

NOVAK: Sure, I would say this is a really variable area. I also think many people actually tend to think that everyone's doing better than they actually are. If you look at our data breach report, particularly the section regarding the incident timeline, this is something I think has been very fascinating over the last several years, but again it's popping out in this report. You'll notice that many of those timeline characteristics are in the weeks, months or even longer time periods. What that tells us is many organizations are really poorly prepared for a breach or their level of preparedness doesn't necessarily correspond with their actual kind of risk profile or what could happen. I tell folks all the time that I see large breaches that are handled really well and the damage or the brand reputation impact can be very minimal if it's handled properly, and then I've seen relatively small breaches that I say, "Wow, this should have little to no impact or consequence on an organization," but because of the poor way in which it was handled it ends up being almost magnified by their poor response plan or even just a lack there of. I think that's a big piece of it. I think that also you have the element of when you have laws, regulations and guidelines, [it] forces organizations to go down a particular road. But we also sometimes see organizations struggle with trying to make it really applicable to their real-world scenario, as opposed to really just applicable to a particular compliance or regulatory standard.

Investigation Guidelines

KITTEN: In the hours and days following the discovery of a breach, what entity would you say is best suited to coordinate an investigation?

NOVAK: This may sound peculiar coming from someone like myself. The best suited is actually probably the victim organization themselves. They "should be." I say that kind of with air quotes, but the reason I say it that way is because it's a bit cliché but nobody knows you better than you know yourself. When we go into investigations of organizations, some organizations kind of have this thought that we're going to come in all knowing, all being, and they don't need to explain anything about their environment to us, we'll just magically figure it out. Now I would love to be able to say I can take credit for that type of work and that we can just kind of assume all that knowledge, but the fact of the matter is it's a cooperative effort. We work with the organization to understand how they operate and then we use the experience that we have, the investigative tools and methodology, to then dig into what might have occurred and help them figure it out.

But the reason why I say organizations generally are the best place to start is because when we talk with a lot of organizations throughout a course of an investigation, it really takes a little bit of poking and prodding, but eventually you get to this point where someone will finally start to say, "We might have had a problem over here," or, "We might have had a problem over there." That really goes a long way from an investigative standpoint because it gives us lead places to start from, places where you might feel is a weak spot or a soft spot in your security where, yes, from an investigative standpoint we can do some discovery across the environment and probably find the same thing. But without any kind of lead information we're essentially doing a very broad stroke to try and assess where those vulnerabilities may exist. As a result, that's going to take more time.

The next piece of that I would say is if an organization is not well prepared internally, they don't have the capabilities to do it themselves, then I say at that point you go to the experts. You get somebody from the outside and you bring them in to help you with it, because if you don't have your own internal first-responder capability, you don't want to take a chance of making a mistake, especially on something that may be very critical to the business.

Outside Forensics Help

KITTEN: What about determining when you should hire an outside forensics expert? What's the best way for an organization to determine that?

NOVAK: You need to start with accessing your own capabilities. In general, when I speak with organizations, most of them I think actually have a fairly good understanding of what their own capabilities are and that may range from, "We know we have nothing and we understand that and we need your help," to, "We have some capabilities but we know we can't do anything and we don't have an intention to do everything but we need your help to fill in the gaps." Then there are other organizations that may say, "You know what, we can do everything on our own. But every now and then we have more than we can handle and we need someone that can maybe work with us from an overflow perspective."

Now we work with organizations of all different shapes and sizes, so I think the first thing an organization needs to do is to assess what their capabilities are and then what I always recommend is, work up an incident classification matrix, something very simple that says these are the different types of scenarios that we could anticipate having happened and based on the different levels or severity of those different classifications, we would either handle it internally with our own team or we would go to an outside organization to bring in experts to assist us, or maybe a combination of the two.

For example, this is a big challenge for multi-national organizations where they may say, "Look, we have a fantastic capability in the U.S. market," but their capability may be more limited abroad, or they may have other issues that they have to deal with from data privacy-type issues. So it's easier for them to partner with organizations in other geographies to make sure that they've got that same level of coverage.

Legal Ramifications

KITTEN: What about some of the legal ramifications that organizations should consider, and might some of those ramifications vary from one industry to another?

NOVAK: Absolutely. There's a lot to be considered there. Particularly, in your highly regulated industries - financial, energy, defense, any organization that falls into categories like that as well as many others - there are a large number of different considerations that need to come into play with respect to that. What I always recommend to folks is, if you're considering these different areas, start talking with your internal general counsel. If you don't have general counsel that specializes in things like data privacy, legislation and what your notification or disclosure requirements may be, then look to some outside counsel for additional support. There are plenty of organizations that specialize in understanding that. I will tell you that it varies on a locality basis almost. We work in pretty much every state, every country you can think of, and as a result of that you've got to deal with the legalities in all those different places, the notification disclosure requirements, limits, thresholds, who you need to notify from either a law enforcement or maybe even an attorney general perspective very significantly. Understanding what all that means and how to interpret that are very critical, so I always advise folks to talk to their internal counsel and if need be, engage outside counsel. If you have a trusted forensics partner on retainer, there's always a possibility that they may be able to provide you some guidance [and] law firms that they may be able to recommend having been used in the past.

Post Breach: What to Monitor

KITTEN: What would you say are the top 5-10 items initiated and monitored in the wake of a data breach?

NOVAK: There are a number of different things that need to be initiated and monitored. ... One [is] you've got to make sure that you're preserving information - your log data, your event details and things like that which are going to help you to be able to go back historically and understand what happened. A lot of organizations, something that they struggle with is preserving that data, preserving the systems, understanding, "Okay, if you have that incident classification matrix that I mentioned, where does this fall in that? Are you handling it yourself, or are you going to an outside party?" If so, you need to make the calls. You need to figure that out right away. You need to understand, are you going to pursue something like prosecution or are you going to protect your own environment first? And depending on that, you may choose [to say], "We need to pull the system off the network and start quarantining parts of our environment to contain the damage." Or maybe you decide to go down the road of, "Let's leave it open in some minimalist fashion so that maybe we can get more data on what the perpetrator is doing and eventually lead to prosecution."

Another important piece there is, how are you going to involve law enforcement, if you choose to involve law enforcement depending on the nature of it? As a result of that, there may be other third parties or even different actions that you may take both from a business standpoint or a technical elements standpoint that could factor into those response steps. Then, make sure that you've got all your appropriate chains of custody, as in handling procedures, in place to make sure nothing gets spoiled in the process, because a lot of times what we find is that the initial stages of the incident response are usually, as you would probably imagine, the most hectic but also the most critical. You want to make sure that you're doing things right and not necessarily just doing things quickly, because later on - we see this all the time - organizations will come to us and say, "Look, we're not interested in prosecuting. We just need to get this situation fixed." Well then low and behold a week or two later we're getting into the thick of the analysis and all of a sudden we find some really juicy information that might lead to a very successful prosecution, but because of some missteps that the organization took earlier on with the handling of evidence or otherwise that information might not be really useful in court or could be thrown out quite easily as a result of that. It's important to have those elements kind of all falling into place.

KITTEN: What lessons can others learn from recent breach investigations that we've seen? What missteps or mishaps are most common?

NOVAK: Probably one of the biggest things that organizations fail to do is they don't look for the breach. And what I mean by that is, we get pulled into a lot of investigations and a lot of the details of what happened are right there in the organization's own environment. Usually they're right there in the logs and quite often they pop out quite easily. In fact, if you look at some of the details in the data breach report, you'll see that roughly 96 percent of all these data breaches were what we considered to be not very sophisticated or advanced. There is often times a significant or wealth of evidence that's left behind, and when I say that they're not looking for the breaches, what I mean is if they were just looking through some of this log data, doing more correlation of their events, they would be able to stop something, maybe a 100 million record breach - they might be able to stop that at the point where it's two records or three records.

I don't want tell anybody or lead anybody to believe that if you do everything right you'll never have a breach, but I think to some degree doing everything right means that any security incidents you have you may be able to contain and mitigate before they get to that point of the sensitive data is walking out the door. You identify the bad guy; you stop him; you cut it off; you remediated that vulnerability that he or she exploited and now you can go back to your business and hopefully you didn't have to make a notification or disclosure. It's a big thing that organizations can learn from, that if they looked at it, they'd see a lot more than I think they expect.

Around the Network