Security

When Prevention Isn't Enough: Security Best Practices for During and After a Breach

Even if they have strong defenses in place, IT leaders must know how to respond quickly and effectively to attacks.

Cybersecurity threats pose challenges to organizations of all sizes, across every industry. Cyberattackers, phishing attempts, network eavesdropping, malware and many other threats jeopardize the confidentiality, integrity and availability of IT resources on a daily basis. IT leaders must clearly understand these threats and develop security controls that allow them to remain vigilant as these threats evolve in sophistication and targeting.

As IT leaders adapt to a world with ever-present security threats, they must develop an internal capability to quickly respond to dangers as they arise, and implement safeguards that keep the organization’s most sensitive data safe from theft, unauthorized alteration and destruction. Fortunately, this is a shared problem across the IT landscape, and technology professionals can leverage best practices via tools and strategies to prevent most breaches. Unfortunately, breaches will inevitably still occur. IT leaders must therefore have processes in place to detect and respond effectively to security incidents.

During an Attack

The moments after an attacker successfully breaches enterprise defenses present a short, but extremely critical, window for security professionals. Prompt responses to successful breaches, aided by security automation tools, limit the amount of time an attacker has access to the network. The primary focus of security professionals responding to a breach in progress should be to limit the ability of the attacker to gain further access to the network and to cut off the access already gained, removing the foothold inside the organization’s technology infrastructure.

Most breaches occur too quickly for a manual response. By the time administrators become aware of a breach, the attacker has probably already gained access to sensitive information and may have moved on to another target. The damage may be done before security analysts put down their cup of coffee and begin understanding what took place. Fortunately, security technologies can not only assist with the detection of a breach, but also automate response actions that seek to limit further access and remove an attacker from the network.

Intrusion prevention systems (IPSs) continuously scan network traffic, watching for signs of a potential breach by identifying known signatures of malicious activity or anomalous behavior. When an IPS detects a potential incursion, it may automatically block traffic, preventing attacks from reaching their intended targets. If an attack does reach the intended target, data loss prevention (DLP) systems step in and seek to prevent the successful theft of sensitive information. DLP systems watch traffic leaving the network, looking for unauthorized transmissions of sensitive information. If the DLP solution detects such activity, it can block the transmission and notify security administrators.

Enterprises may also leverage threat intelligence information from security partners that complements their own expertise. Threat intelligence products facilitate the sharing of threat information across a wide variety of enterprises. If a new attacker appears on the landscape and attempts to breach the security of one enterprise on the threat intelligence network, information about that attacker may then be shared with others, allowing the organization to automatically block traffic from known malicious addresses, stopping attacks before they occur.

Security analysts responding to an attack may also perform a manual investigation into the breach, looking for evidence of how the attacker gained access and using that information to stop the flow of data out of the organization. Actions taken by security professionals may include changing firewall rules, updating security policies, adding hosts to a blacklist and quarantining suspect systems.

After an Attack

The work of security professionals isn’t finished after they simply detect and stop an attack in progress. After the immediate danger passes, security analysts should follow a process of due diligence designed to return the organization to normal activity. The goal of this process is to restore the organization to a secure operating state and learn from the incident.

As with the other stages of an attack, security professionals may leverage a set of tools to assist with post-incident analysis. Forensic tools allow the close examination of systems involved in the compromise. Security information and event management (SIEM) systems allow the review and correlation of records from a wide variety of technology components, as well as threat intelligence information from security partners.

Combined, these sources of information provide an important view into an attack that allows security teams to understand the sequence of events leading up to the breach, and to gain insight into the activities undertaken by the attacker after gaining access to the network. Security teams may use this information to address the vulnerabilities exploited by potential attackers and can retrace the attacker’s footsteps to identify the extent of a security breach.