Rethinking response: the benefits of seeking external support

Why your organization should look to external support following any event, incident or breach.

data breach primary

Despite our best efforts, we can’t prevent each and every security event, incident, or breach. And when these situations do occur, many of us rely solely on our organization’s internal teams and resources. Indeed, most response tactics remain not just largely internal but also largely unchanged in recent years. Given the complex cyber and physical risks we are now facing, however, more organizations are seeking external support from not just forensics firms but also from leading industry experts. Here’s why your organization should, too:

Access greater insights and resources

Regardless of whether traditional forensics efforts are conducted externally, they aim to help us answer the question “what happened?” And although determining the “what” following any event, incident, or breach is critically necessary – all too often, we stop there. In some cases, the resulting damages could be far more widespread or complex than initial forensics efforts might reveal. Figuring out where to look for damages and when to stop looking can further complicate any response strategy. But by supplementing forensics with support from industry experts, we can gain additional visibility into the not just the “what” and the “where” but also the “why?” the “who?” the “when?” the “how?” and, most importantly, the “how can we help prevent this from happening again?”   

I’ve written previously about how information sharing in security and intelligence can expose us to greater resources and expertise, and that also holds true following any event, incident, or breach. By seeking support and guidance from trusted industry experts, we automatically expand our pool of tools and knowledge.

For example, let’s say that your organization’s forensics efforts helped attribute a data breach to a zero-day software vulnerability that was exploited by an unknown adversary. While these insights enabled you to patch the vulnerability, they didn’t reveal who the adversary was or what motivated them to seek and obtain access to your internal database. But by supplementing these forensics with the support of third-party experts who have visibility into the Deep & Dark Web communities where similar adversaries have been known to congregate, your organization can become better acquainted with the context surrounding the breach. And we’re all aware that the more we know about the factors contributing to any event, incident, or breach, the more secure we’ll be moving forward.

Learn from past breaches

As someone who’s experienced this both from the perspective of the victimized organization and from the perspective of someone who has helped to support another organization following a breach, I’ve seen firsthand just how beneficial the right third-party insights can be. By sharing what I’ve personally learned from past breaches, I’ve been able to help other organizations not only avoid the mistakes that I and others have made, but leverage these insights to mitigate damages and ultimately strengthen their security and risk postures moving forward.

And especially for organizations that are younger, smaller, or have never experienced a significant security event, incident, or breach firsthand, seeking support and guidance from those who have can be truly invaluable.

Gain peace of mind

Even for larger companies with robust internal capabilities, any security event, incident, or breach can degrade our confidence, cause us to second guess our expertise, and make us question whether our response efforts were truly effective. These concerns are entirely legitimate, which is why having access to trusted third-party experts can be so valuable. Indeed, gaining the support and validation of a second (or third, etc.) set of eyes can help us ensure that we’ve assessed the scope and impact of the damages effectively, identified the factors contributing to these damages accurately, mitigated these damages to the highest extent possible, and taken appropriate measures to reduce the likelihood of having a similar situation occur in the future.

When reviewing third-party firms to work with in these challenging situations, we should strive to partner with experts capable of supporting communications efforts, facilitating external information sharing, assessing the extent to which other organizations or sectors were impacted by the event, monitoring Deep and Dark Web forums and marketplaces for the presence of compromised data or other assets, and identifying and verifying any claims of credit from culpable adversaries. Above all else, it’s crucial for us to recognize that seeking external support following any event, incident, or breach can ultimately help all of us and our stakeholders be more secure moving forward.

Copyright © 2017 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline