Because of all the recent security attacks, many business leaders are wondering how they would respond to a breach of similar size and magnitude, and how they can take proactive measures to avoid falling victim to one in the first place. In an IT landscape altered by increased remote work, concerns about cyberattacks and their consequences have only increased. The SolarWinds attack was a reminder of how every second counts when a breach occurs, and how the consequences of a breach can take on a life of their own internally, with partners, with customers, and in the media. As remote work and hybrid workers become more permanent fixtures of professional life, and with cybercriminals constantly sharpening their methods of attack, having a response roadmap in case of a major breach is critical. In this blog, we will explore the most important components in getting the response and recovery right, and also highlight the tools our partners at Microsoft offer that perform proactive and reactive defenses against these types of major breaches.
Scenario: Discovering the breach
A major breach can take many forms, but for the purposes of this blog, we will address a response to a sophisticated attack with ripple effects large enough to affect customer, vendor, and personnel data. We’ll also assume, in this scenario, that you do not have a comprehensive and unified security platform that puts monitoring and control of your systems under a single pane of glass. Pressure is high in these early moments of a response, and any time lost can cause the situation to quickly deteriorate and become difficult to contain.
Assemble all stakeholders
• Breaches require leaders from any department whose data might be compromised to remain in close contact. Proactively build a contact list for all these individuals so they can gather and communicate at a moment’s notice — whether in person or virtually.
Perform an inventory of affected systems
• Determine the scope of the problem from a technical standpoint — identify which systems are compromised and which may still be safe. Knowing the full scale of the attack is critical.
Evaluate if attackers are still in the environment
• Don’t assume the attackers will run and hide. In fact, some bad actors can even hold data for ransom or use the stolen data as leverage against you. You cannot move forward without addressing this step, so careful choices need to be made.
Prevent further spread
• Determine which systems need to be taken offline and isolated. It is critical to have the system inventory on hand for this step.
Begin notifying regulators, vendors, employees, and customers
• There are countless stakeholders, like customers and vendors, who have a right to know about a breach, and others you’re legally required to inform. Regulatory bodies at the state and federal level, and in some cases law enforcement, need to be notified. So do your employees. To avoid a scramble, proactively build a list of stakeholders who need to be notified when an inevitable breach occurs and have it easily accessible.
Azure Sentinel is the command center of our security operations. It combines Security Information and Event Management (SIEM) capabilities with critical Security Orchestration, Automation and Response (SOAR). Don’t have the resources to manage this system? Azure Sentinel can be delivered as a service to you via our Security Operations Center (SOC)
A major breach can be overwhelming even for those who think they’re prepared. If any of these key response considerations seem difficult or impossible for your organization, we want to talk about how we can fill the gaps. From security to infrastructure, we’re experts on what it takes to secure and future-proof your business against any threat, 24x7x365.