I learned pretty early on that you can’t prevent all bad things from happening, so you need to have the training and tools available to respond quickly and effectively.
As a young emergency medical technician, I was taught the three basic steps to get an unconscious person breathing again. As a military policeman, I learned how to don a gas mask and protective gear quickly, essential skills I would end up using during Desert Storm. As an FBI agent, I was drilled on drawing, firing, and reloading my weapon swiftly and efficiently under all manner of conditions.
What my medical, military, and law enforcement trainers understood was that when bad stuff happens, you need to move quickly and decisively to ensure the best possible outcome. They also knew that preparation and practice were key to responding with confidence.
At Kroll I find myself preaching the same tenets to clients during cyber investigations about their security. What I often learn, however, is that they have invested almost all of their resources into prevention usually focused on just one type of threat but have often spent little on preparing to respond when prevention fails. Without the right preparation and tools, organizations lose precious time ascertaining the basics what happened, when it occurred, and how can they contain it and can make some really ill-advised moves and choices when they feel backed into a corner.
I’ve seen where panicked internal staff attempted to deal with data breaches in ways that weren’t forensically sound; for example, no records were kept of what was tried or by whom. Another case that comes to mind is when a client dealing with a breach was days away from notifying millions of people at a huge expense before we were able to determine that only a few thousand had actually been affected.
Prevention is still important, but it needs to be tuned to the fact that bad things will happen. The key is to work with experts who can incorporate processes and tools that will give enterprises unique, real-time insights into their network. For example, we have tools now that enable clients to know right away when new software is introduced on critical machines. Unlike the old paradigm of waiting for an antivirus program to tag software as bad or not, this new approach doesn’t allow unknown software to run for months; rather, it enables clients to deal with the problem on the spot.
In the same way, this real-time awareness enables clients to determine the immediate implications of a situation, potentially avoiding the need to conduct forensic examinations that are time-consuming and expensive. With the right tools installed, there’s no need to image machines when clients can get answers on their system’s environment in minutes from across the globe.
However, it’s critical to remember that computer security incidents are only part technology. The human elements, such as security governance and mitigating insider attacks, play a defining role. That is why our Kroll team consists of former FBI agents, prosecutors, state and local cyber crime detectives, computer forensic examiners, and corporate IT security experts. Experts like these help clients take into account all the ways people can undermine security by accident, through negligence, or with malice. Without that insight, companies leave themselves open to being blindsided and scrambling for a response when time is of the essence.
Ultimately, deploying preventative tools built with emergency response in mind will help ensure enterprises are in a good position to limit damage and reduce the total cost of an incident, and are strong enough to fight another day.