Breach Response: Fighting Persistent IntrudersExpert Offers Lessons Based on Study of Breached Organizations
Because hackers often find a way to stick around or repeat their network intrusions after remediation efforts are completed, organizations need to ramp up their "continuous detection" efforts, says security expert Wendi Whitmore of the security consultancy CrowdStrike.
Crowdstrike's analysis of dozens of its clients' breach response efforts, described in a new casebook, shows that all of the hacked organizations "faced the attackers trying to get back into their environment and re-infect them after they concluded their remediation event - which is the event that is the culmination of the investigation and you try to eject the attacker from your environment."
That's why it's essential for organizations to focus on "continuous detection and visibility into their environments," she stresses.
Often after a large breach, organizations believe that they are "wiping the slate clean" once remediation processes, including implementation of new technologies, are completed, Whitmore notes. But in reality, these organizations remain prime targets for new or repeated attacks, which is why they must ramp up efforts to detect and contain intrusions.
Another essential element of any effort to detect and remediate breaches, Whitmore says, is training the workforce to act on the warning signs that something is amiss, she says. Companies often invest in technologies that can help alert staff of potential security incidents, yet the staff is not properly prepared to carry out processes to contain the incidents, she notes.
CrowdStrike's analysis also found that organizations that carried out security processes more successfully conducted penetration tests as well as "table-top exercises that involve stakeholders, including the CEO, operations department and general counsel and communications staff," she says.
"As organizations get more mature, they tend do these things more frequently, such as testing out new scenarios on a quarterly basis so that they can continually identify areas for improvement and gaps," Whitmore says. "So if they actually go through one of these breaches, it's not the first time for everyone. They understand the playbooks. They understand what they are going to communicate."
In the interview (see audio link below photo), Whitmore also discusses:
- Other key findings in the CrowdStrike analysis;
- How the healthcare sector compares with other industries in its ability to detect and defend against cyberattacks;
- Tips for protecting medical devices from becoming entry-points for cyber intrusions into their networks.
Whitmore has more than 10 years of experience in the computer security, including a career with the U.S. military. As vice president of services for CrowdStrike, Whitmore, along with her team, responds to security breaches and offers remediation services. Previously, she was a managing director for Mandiant's Los Angeles office. In this role, she was responsible for leading a team of security consultants that responded to large security breaches throughout the world.