A CISO’s Guide to Surviving a Breach

Benjamin Franklin is reported to have said “nothing in this world can be said to be certain, except death and taxes”. In this day and age, perhaps the idiom can be modified to state that “nothing in this world can be said to be certain, except death, taxes and cybersecurity breaches”.

Breaches are inevitable. As a popular saying goes, “there are only two types of companies: those that have been breached and those that will be breached”.? A recent study by a pen test company finds that 93% of the companies can been penetrated. Companies that spend just a few hundreds of thousands of dollars on cybersecurity get breached. Companies that spend millions get breached and certainly, companies that spend hundreds of millions on cybersecurity and defense in depth still get breached. So, there is not a correlation between how much money is being spent on security and the likelihood of a breach.

However, there is a loose correlation between the maturity of a cybersecurity program and the likelihood of a breach. Immature cybersecurity programs increase the likelihood of a breach but highly mature cybersecurity programs simply reduce, not eliminate, the likelihood of a breach.

So why is that? Why cannot we make ourselves “breach proof”? The answer is that there are just too many variables, and the technology landscape of a company, is constantly shifting and mutating. New systems and technologies are being introduced into every environment while old systems lose support and get added to the pile of tech debt. People are changing. Knowledge is moving around. And with every change and every movement, the armor can crack momentarily and allow exposure.

A breach, when it happens, is perhaps, the most devastating experience for a CISO and his/her team. All the years of effort, all the dollars spent become meaningless in an instant. Credibility that has been built over many years seems lost. However, cybersecurity professionals rarely get to dwell on their misery. Typically, in the immediate aftermath of the discovery, CISOs and their teams go into high gear, immediately falling back on their experience and training to first mitigate the exposure asap, then to recover the affected systems and in parallel to perform a detailed forensic analysis to determine the root cause.

Once the dust has settled, the soul searching begins for the CISO. Most CISOs find themselves wondering if their tenure at the company has come to an end. Some, in the depths of despair, even end up googling if there is life after a breach. The short answer is yes, there is life after breach. A breach does not represent the end of the road for the CISO, anymore. In fact, a breach is a tremendous learning experience for any cybersecurity professional, regardless of the eventual outcome. A cybersecurity incident can bring the entire company together and immediately align priorities and funding, often for years to come.

The fate of the CISO is dictated by a couple of things: first and foremost, the reputation and credibility that he/she has been able to establish and second, how they react and support the breach investigation and reporting etc. A data breach puts the entire program and the cybersecurity team under a microscope.? The overall reputation of the team within the company becomes central to the conversation about their future at the company. If the team is seen as credible, collaborative, helpful and business oriented, then the odds are in favor of the CISO. Any failures may be forgiven.

If the overall security program at the company has been a challenge and the perceptions of a security team are negative; they have been a difficult and inflexible team to work with; if the CISO has been unable to build critical relationships across the company, then fingers inevitably point at the CISO and his/her team. Especially, if the forensic investigations and examinations of the overall cybersecurity program, that follow a breach, reveal gaps and critical omissions in the program, then again, any failures are magnified and become the reason for the departure of the CISO and a restructuring of the team

There is another unfortunate aspect. During the course of the incident response process, a lot of external resources are engaged, such as external counsel, forensic investigators, communication facilitators or ransomware negotiators. All of these stakeholders may have an opinion about the effectiveness of the CISO and the cybersecurity program, that they may express to company leadership or the Board. Any negative feedback could end the tenure of the CISO at the company.

So how does a CISO survive a breach? Here is some guidance based on my own personal experiences going through a couple of breaches.

BUILD A CREDIBLE PROGRAM

Build an effective, credible, transparent, collaborative program for cybersecurity, risk and compliance.? Long gone are the days when Information Security could survive as a policing function, acting with unilateral and inflexible authority. Treat information security as a service. Be highly collaborative and support the business needs. Cybersecurity is a risk management function. Build a team that understands the risks and is able to work with other IT and business leaders to selectively mitigate and/or accept risks.

Build relationships and maintain lines of communication with your CFO, General Counsel, CHRO and other members of the Executive Leadership Team.

Complete transparency should be practiced by the CISO and his/her team in responding to lawyers and forensic experts.

FOCUS ON FOUNDATIONAL TECHNOLOGY COMPONENTS

As CISOs we are often single mindedly focused on bringing in multiple layers of technology. Based? on the availability of budget and resources, we do the best we can to build a portfolio of technologies that we believe are sufficient in protecting the company that we work for.

This is an area whether a CISOs insights, instincts and strategic vision come into play. It is easy to make a wrong decision and buy technology that is not cost effective in the long term or does not provide the anticipated coverage. There is some tolerance in most areas. However, I have found that the following few areas receive an inordinate amount of focus from regulators during a breach and any lapses are magnified and could become a serious problem for a CISO.

Password Policies: The general hygiene around password management comes under scrutiny before anything else. After all, most breaches are a result of credential compromise. Having well documented password standards that clearly enforce the use of strong passwords for general users and especially for administrators, go a long way in responding to legal and regulator inquiries.

Multi Factor Authentication: Ensure that your implementation and use of MFA is robust and there are no exceptions. Any remote access to company data center resources or networks must utilize multi factor authentication. Any administrative access to cloud instances and general use access to SaaS application must also be protected with MFA. Even on the internal network, protect any privileged access to Windows and UNIX servers and network devices with MFA.

Privileged Access Management Solution: A password vaulting solution or a privileged access management platform is a must. During my countless interviews by counsel, regulators, and attorneys general, the conversation dwelled on the use of a PAM solution. Generally, PAM solutions are not easy to implement. Well, let me correct myself. Perhaps, the initial implementation and setting of the infrastructure for a PAM solution may not be an issue. Even the induction of some of the admin credentials might also not be an issue. However, the induction of hundreds if not thousands of service accounts often ends up being a stumbling block, Furthermore, a PAM system can be used to house “managed accounts”, whereby the system auto rotates the password or “unmanaged accounts” when the system simply vaults a static password. Even if you cannot vault privileged accounts in a “managed” state, ensure that the unmanaged accounts are set with complex unguessable 25 character passwords. Ensure that your password standard contains appropriate guidance on password complexities and the use of the PAM.

Encryption and Key Management: If you house sensitive data that requires encryption, such as cardholder data, then ensure that your implementation of encryption and the associated key storage and management processes are in accordance with published best practices and you have current documentation, with data flow schematics, to support your implementation. Ensure that you have appropriate encryption and key management standards that are published and up to date as well. All of these and more, come under intense scrutiny by lawyers and regulators in the wake of a breach.

End Point Malware Protection: This is a foundational technology that exists in all environments. However, in most environments, coverage may be an issue. The leading End Point Detection and Response (EDR) solutions perform the best on newer operating systems and may often have no agents for older legacy operating systems. It is critical that (a) an EDR solution be deployed on ALL end points that can support it and (b) an alternate anti malware solution be deployed for legacy systems.

Logging and Monitoring System: The forensic teams that are engaged in the wake of a breach rely heavily on logs. After all, that is exactly why we spend so much time and money and establish a logging and monitoring system; so that we can (a) get alerted against the established use cases and (b) retroactively figure out what might have happened. Make every effort to ensure that all of the systems in your environment are sending logs to a SIEM. At the very least the authentication logs for every system must be captured and archived. Any exceptions that are discovered during the breach investigations will assuredly cause significant grief and embarrassment to the CISO and his/her team.

Forensic Image Acquisition System: One of the areas where cybersecurity and infrastructure teams typically stumble is in their ability to expeditiously provide forensic images for the various systems. When an external forensics company is engaged, they typically want copies of VM and other system images so that they can conduct full disk analyses. Timing is of the essence. Delays in acquiring the images from servers and laptops and then uploading them to the forensic company’s portal reflect poor on the CISO and his/her team. So, spend some time now and ensure that a formal mechanism has been established and that it actually works.

FINAL THOUGHTS

NIST-CSF assessments go a long way in providing an independent assurance of the maturity of a cybersecurity program. Ideally, if your budget and resources allow it, in a typical year, have two independent assessments conducted: one from a well-known reputable company, at the end of the year and the other from a local boutique cybersecurity company, around the mid-year time frame. The former would typically be expensive while the latter may be more affordable. These assessments will be instrumental in providing assurance and comfort to the regulators and authorities that the company’s cybersecurity program is mature and reliable.

Breach response is not quite an exact science. There may be myriad of variables that may affect the eventual outcome for CISOs and their teams. In the immediate aftermath of a breach, it may well be that the cybersecurity team of a company finds itself in the awkward position of being forced to take back seat. The conversation appears to be driven by the company’s legal team in conjunction with external counsel, external communication company and external investigators.

Although it may seem to a security team that matters have been hijacked from their hands and lawyers and investigators are running the show, the cybersecurity team remains a focal point to assist with forensics and to respond to lawyers, regulators and other agencies. This is the phase in the breach that can make or break a CISO. Under such a situation, the CISO needs to stay focused and ensure that the priorities are maintained and a calm and coherent response is provided throughout.

The final recommendation to my CISO peers is that at every suitable opportunity, they create an awareness in the minds of their executive and especially the Board of Directors that breaches will happen and the sole purpose of a cybersecurity program is to build resilience. The ability to quickly mitigate the impact and to recover normal business operation is the key to surviving a breach.