Your company has been breached and your executives are in denial.That is the phrase that came to mind the other day during breakfast at RSA with Intel\u2019s security organization where I overheard the following story. My ears perked up when I heard the word \u201cspearfishing,\u201d which was key to a personal story being told by one of the Intel executives. Spearfishing is when an attack specifically targets someone in the firm in order to steal their credentials and\/or compromise their hardware.\u00a0\u00a0Apparently, the Intel exec received an email with a PDF document from an alleged Chinese graduate student. The email contained personal information on the graduate program the executive had been in and enough personal information about the school that it looked legitimate. It requested he review the attached dissertation in PDF form. The PDF itself didn\u2019t trigger any alarms and looked harmless but instead of opening it he sent it down to the McAfee lab to see if it was hostile.\u00a0\u00a0It was and, according to the lab, it contained multiple instances of never-before-seen malware. In other words, not only had they spearfished the executive, they had designed a package that was unique so that malware detection systems wouldn\u2019t see it as hostile. We were warned years ago that PDFs were particularly dangerous, but even with the interim patches the danger, based on this event, hasn\u2019t been mitigated.What I find particularly scary is that the malware was coded specifically to go after a security firm executive. Security firm executives are attractive because if they are compromised the information gained may provide a key to getting access to all of their clients.\u00a0\u00a0We can\u2019t depend on people doing the right thingIn this instance the executive did the right thing, but how many of his peers in his firm or another received some variation of this attachment? And the bigger question, how many of them opened their own personalized attachment and, as a result, how many security firms are now compromised?We know our kids\u2019 computers are likely compromised, and since both our PCs and gear often resides on the same networks our systems could become compromised. We could then become carriers when we ignorantly carry these systems back into the office.\u00a0\u00a0 Granted, if we are smart these machines are scanned before being allowed onto the network, but scans often can\u2019t identify unique malware specifically written for one or more individual employees.\u00a0\u00a0We know our own executives aren\u2019t that smart so the odds that we are breached just got dangerously close to certain.The \u2018Golden Hour\u2019The Intel folks were talking about \u201cthe Golden Hour,\u201d or the time you have between when a breach occurs and you need to have it identified and mitigated. One of the other folks at the table was talking about the fact that major banks are being driven to make instantaneous funds transfers, which means that the typical one to five day grace period that allowed the banks to look into a transaction will soon be gone and that Nigerian prince that is so generous with his fake money is about to be very rich with yours.\u00a0\u00a0If we think about this idea of already being breached we would approach security very differently. Right now are focus is basically on prevention, but that clearly isn\u2019t working.\u00a0\u00a0 If you know a hostile entity is already operating inside the company you focus more on aggressive identification (McAfee SIEM) and response (Invotas) and securing the information itself better (Varonis).Or put differently, if burglars are already in your home it is too late to put stronger locks on the doors. Instead you focus on hiding your valuables and coming up with a way to get the burglars to leave.Same thing here, if we accept that we\u2019ve been compromised we make sure our intellectual property can\u2019t go anyplace we don\u2019t want it to go and then we focus on finding and eliminating this illegal access.\u00a0\u00a0SIEM (Security Information and Event Management) technology wrapped up under a universal console (what Intel\/MacAfee is providing), tied to an automated response system, which is what Invotas provides gives you a \u201ckick them out\u201d weapon, along with having your IP protected by Varonis gives you time to execute before your valuables make their way out of the building.\u00a0\u00a0The best data breach defense involves 3 layers of protectionWhile I know Sony has deployed some of these tools after their breach I haven\u2019t yet found anyone that has deployed this specific mix. I think you need all three components: SIEM, Automated Threat Response and Automated Unstructured Data Protection in order to make sure you have time to and can mitigate a breach in progress.\u00a0\u00a0The vendors I highlighted were selected because they are the ones I\u2019m familiar and sometimes work with and would be a good place to start (McAfee, Invotas, and Varonis). I picked McAfee because of their Intel connection and the related strategy change focusing them on interoperation; Invotas because they seem the most aggressive in threat response; and Varonis because they are currently the best at unstructured data protection. However, the ideal mix will likely have as much to do with how well the individual components (particularly the first two) interoperate.In the next few weeks I\u2019m going to try to look for someone that has deployed this mix of capabilities and report back on what an actual ideal product mix would be.Until then, you may want to remind all of your executives and IT folks to avoid opening attachments from anyone they don\u2019t know, or that they weren\u2019t already expecting (in case that person they know was spoofed) on anything but an isolated sandboxed PC unless they want to be infamous inside the firm.And if they\u2019ve already opened an attachment (particularly a PDF) they weren\u2019t expecting the attachment should be sent to your security team for evaluation. If it was safe, good, if not, the security folks need to immediately start the process of mitigating the damage and making sure this event is isolated and won\u2019t recur.\u00a0\u00a0I have a feeling this is a bad decade to be a CSO.