• United States




5 steps to enable you to stare back in the face of inevitable compromise

Jan 10, 20186 mins
Data BreachSecurity

How to deal with the safe guess that your company has been breached.

password security privacy hacker breach phishing
Credit: Thinkstock

I’d bet my salary that your company has been breached. Which is not ironic, because you’re betting your salary, i.e., your job, if you think otherwise.

It’s been famously said that there are only two types of companies: those who know they have been breached, and those who don’t know it yet.

Here is what you’re up against (not good odds):

  • Those who hack for sport: Don’t bet that you’re smarter than everyone else, that your design, implementation and configuration are error-free. Hackers take that as a personal challenge to prove you wrong.
  • The APT: A determined nation-state-like organization with time and resources available.
  • Equipment failures: Strong security measures that stop working correctly during unusual conditions (e.g., power failures or hardware failures).
  • Insider threat: Imposters working for someone else, bitter personnel on their way out or “activist” employees.
  • Criminal elements: Those motivated by the almighty dollar, at your expense.
  • Accidental compromises: Due to the fallibility of the humans who use and operate the network.

“How can you be so sure?” is the question I sometimes get when speaking on this topic. But decades of experience breaking other peoples’ toys, helping to protect our own and looking at my own broken toy parts have taught me otherwise. Their question is actually an attempt for reassurance in a time of intensifying security uncertainty. It is a Hail Mary pass in hopes that never-ending reports about security breaches aren’t guaranteed to decimate their data, exploit their users’ personal information, steal what is proprietary and confidential, and leak sensitive secrets.

I would prefer the question inspired would be the far more consequential, “What should we do given that inevitability?”

Segmentation and recovery

An organization that has implemented the fundamentals of segmentation to mitigate the extent of an attack’s damage will find that they have also reaped an additional benefit: a much more efficient recovery.

It’s a truism that counter-breach strategy starts and ends with segmentation. You use it to prevent compromise to begin with, you use it to restrict the scope of compromise when you are indeed breached, and you use it to reconstitute to a fully operational state post-breach.

That’s because access segmentation is essential to the more advanced cybersecurity protocols of failure recovery, visibility and inspection. So not only will implementing fundamentals prevent threat actors from stealing or destroying their most valuable assets – they also create a network that can safely return to normal operations with far less cost, loss, disruption and downtime.

Simply put, no matter how sophisticated its execution, “clean up on aisle 9” is not a very strong or satisfying cybersecurity posture. And it is definitely not an effective one.

5 steps for dealing with a breach

Even the most innocuous threat actors (a term as oxymoronic as it is Orwellian)—those more motivated by the desire to wreak havoc for havoc’s sake rather than for state-sponsored terrorism or industrial espionage—can leave a dumpster fire where your competitive advantage used to reside.

Here are the five crawl-walk-run things you should do in the face of inevitable breaches:

  1. Create an organizational Incident Response Plan, and exercise it. An IRP plots different scenarios and provides a playbook to follow when a breach occurs. Each breach is different, and there is not cookie-cutter approach, but speaking euphemistically, you don’t want to have to learn to fly the plane or fix the engines in a time of crisis.
  1. Execute the security doctrine of macro and micro segmentation. Give access to systems and data to those who need it, but no one else. Whoever first said, “Don’t put all your eggs in one basket” was a cybersecurity visionary. Better yet, practice agile segmentation, a strategy enabled by cutting-edge firewall products, which grants and retracts according to the need in real time. It’s not only better for security, but it actually increases business productivity by enabling great collaboration without fear.
  1. Regenerate from a known secure state. Post-breach, you still need to be able to regenerate to a known secure state. If you are waiting for an attack to serve as a wake-up call, it will be extraordinarily difficult to recover from it (especially from an APT, whose middle name is “persistent”). To confidently recover from a breach, ensure you have a pristine version of your operating systems and configurations for your security architecture. This is the “gold copy” of your security system that is stored securely offline. From that secure beachhead, you can get your other operating systems and applications up and running.
  1. Measure and adapt to changes in your resiliency risk. Agile segmentation, team-oriented cybersecurity strategy over a security fabric and the cloud have made the security concept of auto-resiliency a reality. Today, in the IT world, we measure the reliability of our networks (“How many .9s of reliability do I have?”) and make adjustments. We need to steal a page from that playbook and score (measure) the quality of our resiliency posture in real time. A resiliency score will allow you to stay “left of boom” (take actions before a bad thing happens) by, say, clamping down on segmentation, isolating and auditing a suspicious access point, blocking an application’s access to the data center, or spinning up new capacity in the cloud.
  1. Auto-regeneration. For the inevitable time when you find yourself “right of boom” (i.e., you were breached), use centrally orchestrated micro and macro segmentation to effectively navigate an attack’s aftermath to regenerate, via orchestration, to a known secure point, to return to normal operations quickly and automatically. Since the goal of any threat actor or adversary is persistence—their efforts are meaningless if simply shutting down a system will stop them—they go to great lengths to ensure that they will still be able to maintain the compromise even after a system has been reconstituted. Auto-regeneration, from a known pure platform, has the potential to turn weeks of down time into minutes.

In a digitally driven and increasingly hyper-connected global business landscape, the potential to reach, engage, influence and inform your most critical audiences, stakeholders, strategic partners, customers and collaborators is giving rise to opportunities never before possible. But that reality also reveals a simple new truth: The more you are able to connect with others, the more others are able to connect with you. As threat actors become increasingly dexterous and experienced, that connectivity can be transformed into a tremendous liability for those organizations that fail to view the new digital business realities from all angles.

Those reluctant to take that bet I offered should ask themselves why not. If it is because they doubt the implications of this new business fact of life—or worse, fear them—they may soon realize that they are in fact gambling with something far more valuable than a single paycheck.


Phil Quade serves as Fortinet’s Chief Information Security Officer and brings more than three decades of cybersecurity and networking experience working across foreign, government and commercial industry sectors at the National Security Agency (NSA) and U.S. Senate. Phil has responsibility for Fortinet's information security, leads strategy and expansion of Fortinet's Federal and Critical Infrastructure business, and serves as a strategic consultant to Fortinet's C-Level enterprise customers.

Prior to Fortinet, Phil was the NSA Director's Special Assistant for Cyber and Chief of the NSA Cyber Task Force, with responsibility for the White House relationship in Cyber. Previously, Phil also served as the Chief Operating Officer of the Information Assurance Directorate at the NSA, managing day-to-day operations, strategy, and relationships in cybersecurity.

The opinions expressed in this blog are those of Phil Quade and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author