By Daniel Clayton, Director, Rackspace Managed Security
In today’s security landscape, it’s not a matter of if a company will be attacked, rather the question is when. Forrester Research reports that 49 percent of global network security decision-makers have experienced at least one breach during the past 12 months. Research shows the average company loses $141 per compromised record, with the greatest loss in the healthcare industry as $380 is lost per each compromised record – not to mention the legal implications when patient data becomes at risk.
Though every security event is different in size, scale and complexity, the immediate priorities should be the same. First, it’s important to establish the ground truth; what’s happened? What data has been lost, what is the scope of the breach? Which parts of the business have been impacted? Identify an incident response leader, establish an incident room and gather the right people to determine who, what, when and how.
Specifically, understanding who or what actor was the behind the breach helps identify the why and how to comprehend motivations, tactics, techniques and procedures. It’s important, though, not to spend too much time on this step because you run the risk of bogging down, without answering other key questions. While attribution is helpful, it’s not the end-all be-all in an investigation.
Next, determine what data was taken and the scope of the data compromised. This can help you understand why the adversary targeted these systems. Identify when the data breach occurred and its duration. This will narrow down a timeframe for the security team to analyze. It is also important to determine where the breached data was stored to help limit the scope of the investigation and focus efforts on a specific set of systems, cutting down the time it takes to begin the investigation.
Once the who, what, when, where, and how is determined, the next step is to figure out the best way to stop or slow the bleeding. This will depend on the adversary and how long the breach has been active. If it’s the first time they’ve come into the environment and have only been in for 24 hours or less with minimal actions taken, it’s advisable to cut off access immediately. If the breach has gone on for an extended amount of time, it’s likely they have multiple ways to get back into the environment, and the war team needs to assess those before they fully engage.
Communication is a constant activity in each step. Establishing an internal communications plan is critical. There will be multiple teams within the organization responding to the breach and it’s important for everybody to be aligned. Second, the healthcare organization must think about what to tell patients. Finally, there’s the legal side. Take into account what the organization is obligated to tell people, what is the right thing to do in terms of transparency, when to make those calls and speak to the press. Oftentimes, security experts assume the worst, so it’s important to have the communication piece buttoned up and be clear about what is being said, otherwise the situation can be made worse.
When all is said and done, go back to the drawing board and prepare for the future. Determine key learnings from each step and practice. Data is absolutely critical to a healthcare organization. Providers should assume they will be attacked and prioritize protecting the data when that attack happens. The security operation needs to understand the threat landscape; which threat actors target healthcare organizations? Which TTPs (Tactics, Techniques and Procedures) do they use to target those organizations? Then build the specific capabilities that will enable you to mitigate those attacks.
Time is critical, so establish ahead of time how you are going to react and who is going to be involved, then practice it. Response must become a drill, people make bad decisions under pressure and bad decisions in the midst of a cyber event would be catastrophic for a healthcare organization. Live and realistic war-gaming is the most effective way to build the incident response muscle-memory that minimizes business impact in the case of a major cyber event.
About The Author
Daniel Clayton is the director of security operations at Rackspace, where he is responsible for global customer security operations and strategy. He currently oversees the Rackspace Managed Security Customer Security Operations Center and is part of the executive team that aligns strategy, technology and execution across the Rackspace global enterprise.