Instead of trying to prevent breaches, organisations should focus on reducing the time between a data breach and containment to minimise their loss, said Stuart Clarke, Director of Cybersecurity & Investigation of Nuix, in an interview.
According to a 2013 study by Ponemon Institute and HP Enterprise Security Products, most organisations take an average of 32 days to resolve data breaches, giving cybercriminals ample time to cover their tracks. "By the time organisations get around to analysing a breach, the evidence of what happened can be much harder to find," said Clarke.
When asked why data breach investigations take a long time, Clarke said that such organisations most likely had weak information governance strategies. "Few organisations have a real grasp of what important data they hold and where it is, thus they have no idea of where to start looking when there is a breach."
The lack of threat intelligence sharing is another cause for the long data breach investigations. "Recent point-of-sale attacks against US retailers Targer and Home Depot involved very similar malware variants. If the community better shared such information, we could improve the way we protect data and respond to attacks," Clarke explained.
To help organisations reduce the time between a data breach and containment, Clarke provided the following tips:
- Have an effective information governance policy so that it's easier to identify the lost data and the areas to look at when there is a breach.
- Implement policies that increase security awareness across the organisation.
- Build a library of intelligence about breaches, and invest in post-breach analysis solutions that can ingest intelligence from external sources. This will allow you to streamline your breach analysis as you are aware of the most likely attack sources and methods.
- Capture lessons learnt from breaches - that happened to you or others - and use them to configure your monitoring solutions so that they harvest the most relevant information for your analysis.
"These steps will allow organisations to catch incidents before they matter or contain them before they can do a lot of damage. Organisations can thus reduce the overall cost and scope of data breaches, and minimise the knock-on effects such as reputation damage," concluded Clarke.
Sign up for Computerworld eNewsletters.