Equifax just experienced a massive breach where personally identifiable information of about 143 million Americans was compromised. That’s one out of every two persons in the country, to put it in perspective! The costs of remediation, lawsuits, fines, customer compensation such as free credit monitoring is expected to cost the company billions of dollars, not to mention the damage to the brand, customer trust, stock price, and more. While Equifax looks to extricate itself from this unenviable quagmire, here are some lessons other Enterprises could learn from this breach.
1. Incident prevention & detection is not enough. You need to invest in incident response.
By all accounts, Equifax designed their systems to be highly secure with multiple layers of prevention and detection technologies. Despite this, such a debilitating breach took place. A security strategy based on Prevention and Detection is no longer feasible and focus now needs to shift to response.
Frameworks like NIST give enterprises a solid start on how to plan for incident response leveraging cross company resources. Leading Incident Response platforms, like Resolve, provide a comprehensive suite of capabilities spanning case management, cross-company orchestration, out-of-box playbooks with ideal response procedures as well as automations for the speediest validation, containment, investigation and remediation of security incidents, while supporting compliance and forensics requirements.
2. Get to real, highly damaging incidents fast.
Per industry reports, hackers were able to break into the Equifax systems and steal massive amounts of data, undetected for a period of 2 months! That is a staggering duration of time for intruders staying stealthy and for no response to have kicked in!
A big challenge enterprises have is being able to sift through massive volumes of events and alarms related to security. As detection technologies evolve, they add more alarms to the already massive pile. Only a few of them are genuine incidents needing action. Every minute spent on a false alarm is a minute less for working on the real one, such as the data theft on the Equifax systems. While there are products like SIEMs that algorithmically identify a lot of the noise, enterprises need the power of automation that incident response tools provide to accelerate validation and response to true incidents. Importantly, incident response tools like Resolve streamline and speed up resolution and create organizational bandwidth to handle more genuine incidents.
3. Incident Response is a challenge for the entire enterprise, not only security operations.
The breach at Equifax appears to have been caused due to a vulnerability in an Apache Struts based web application. An important question to ask is: Can the Security Operations Center (SOC) team be asked to own the complete investigation, containment, and remediation when they are not involved in the design, deployment, and administration of the application stack? The answer is an emphatic, “No!” Responding to a security incident is an enterprise-wide endeavor. All IT operations teams – security operations, network operations, IT infrastructure management, service desk, and other silos, need to work hand in hand with common processes and tools for an agile response process.
While there are numerous point solutions for security automation and orchestration, what an enterprise needs is a true enterprise-wide platform that unifies the organization in the context of any incident response. Failure to have such an enterprise-wide platform is a recipe for process breakdown and more damage from incidents.
4. Security incident response needs strong collaboration between humans and automation.
Security incident response cannot be fully automated away. Bad actors are looking for new ways to break into the strong defenses of the enterprise, looking for the slightest opportunity. Combating these actors cannot be outsourced solely to automated processes. Incident response needs security experts. At the same time, there aren’t enough hours in the day of the far and few experts to be able to deal with these incidents by themselves. Automation is key to scale security response.
Human-guided automation provides the perfect collaboration and synergy between human experts and automation. Security experts can package a response process as a combination of automation and manual procedures and push out to frontline responders – making them more effective. While the automation can perform actions such as data gathering, validating IP addresses, gathering threat feed data, updating case management systems and evidence preservation, humans can ultimately drive the complex investigations and be in charge. This smart human/automation partnership is key to scale security incident response.
5. Security breaches are expensive, way more than you may imagine!
While you may intuitively understand the damages of security incidents, you only need to be in the shoes of Equifax to fully understand how debilitating one incident could be. Within the first week, the company is looking at multiple class action lawsuits with demands over US$70 billion in damages. Attorney Generals of at least five states have announced investigations into the breach formally. Congressional hearings are commencing against Equifax executives. One can only imagine the full extent of damages for Equifax and impacted customers over the long term. This is not a situation any business would want to be in, ever!
Interested in assessing your company’s readiness for an unavoidable breach? Schedule a workshop with Resolve SIR experts who will spend a day with your SOC team to understand the tools, people, and processes involved in your organization’s incident response.
Security automation and orchestration can be the secret ingredient to an effective incident response program, but many teams overcomplicate it or feel overwhelmed by trying to automate every activity in the workflow.
When getting started with security automation and orchestration, think agile:
- Prioritize business drivers
- Identify key stakeholders and process owners
- Examine automation opportunities
- Define requirements with a workshop
- And more