3 reasons companies fail to assess the scope of a data breach

First comes the embarrassing breach announcement. Then, a few days or weeks later, another one — a few million stolen records were missed the first time around. Then another announcement, with another upward correction. With each new revelation, the hacked organization loses credibility and faces greater liability.

“They make a statement too soon after the breach,” says Jon Connet, senior director for corporate strategy at ForeScout. “It’s the drip-drip-drip that killed a lot of these companies. They’re making initial statements based on the first initial forensic findings, weighing the pros and cons of getting ahead of the story and trying to minimize the impact, before they have a firm handle on what happened.”

Public humiliation isn’t the only cost of not knowing the scope of a breach. Even if the breach is not publicized because, say, the only data lost was intellectual property, then not knowing what the attackers got their hands on could be extremely damaging to a company financially.

If a company can’t tell which systems were penetrated, then the attackers might still be in the environment, continuing to siphon out data, or getting ready to launch more attacks.

Given how long breaches have been hitting the news headlines, it’s surprising that companies are still having trouble with the issue. So how can companies get on top of the problem? “If you only ever focus on after the breach then the answer is you can’t,” says Adrian Asher, CISO at the London Stock Exchange Group.

The time to start is long before the breach ever happens. “If you haven’t invested in the controls and people before a breach occurs, then when you are in the critical state of a breach you’ll be ill prepared,” he says.

According to Asher and other experts, companies need to have asset inventories, have logging in place, and run tabletop simulation exercises. “These are some of the capabilities that would allow you to be confident of the extent and impact of any breach,” he says.

Below are three common reasons why companies struggle with assessing the scope of breaches along with advice for being better prepared.

1. Not knowing where your data is, who uses it, and how it is used

It all starts with knowing where the data is, Asher says, including both on-premises and in the cloud. Companies also need to know who is accessing that data, how they’re using it, and for what purpose. “These simple requirements are however extremely complex for an organization with many years of legacy and complicated environments that have grown organically,” he says.

Finding out what data is located where is a hard business process, confirms Mike Hanley, VP of security at Duo Security, Inc. “You need to complement that with a good understanding of the businesses processes and assets you’re trying to protect,” he adds. “If you don’t understand how the business is using its data, you might have blind spots about how business processes lead to duplication of data elsewhere.”

The data could also be with third-party vendors, in file sharing platforms, and stored in Amazon buckets. All of those are potential sources of data breaches and require different approaches for monitoring and forensic analysis.

You’re still liable, even if the data is lost by someone else, says Eric Blatte, president and co-founder at RiskRecon, Inc. At the end of the day, you’re responsible for managing that third-party risk.

“You can’t just stick your head in the ground, or your fingers in your ears,” he says. “You need to have a full catalog of where your data resides, not just who you have a contract with, but who the providers are that they outsource to.”

Last year was a banner year for Amazon S3 data losses, with Accenture, Dow Jones, Verizon and Uber all accidentally exposing sensitive records, and the trend continued this year with FedEx, Honda and Los Angeles County.

Doing a data inventory isn’t sexy, and doesn’t generate revenue, and doesn’t do much to stop a breach from happening in the first place. It’s the kind of basic blocking and tackling that can get postponed indefinitely.

Even if a company understands the necessity, they might not take action. “Maybe there’s something else you want to do first,” says Itzik Kotler, CTO and co-founder at SafeBreach, Inc. “There are different priorities. Each company has a different story. When there’s regulation, it’s easy, it forces you to do something. If there’s not, then it becomes an open question.”

2. Logs to perform proper breach forensics are missing

Many companies don’t have the right logs in place to be able to tell where a breach occurred, and what data was lost. There are several reasons for this, says Thomas Etheridge, VP of services at CrowdStrike, Inc.

Some of it is due to not knowing what logs are needed, he says. There’s also the financial reason, of course. “It takes money for companies to store and maintain logs,” he says. “Having the budget and investment there is very important.”

Finally, the company needs to configure the logs correctly and know what to do with the information. That’s where practice helps, Etheridge says. Going through a simulated breach can help a company identify gaps in coverage. Since qualified forensics experts are hard to find, some companies also keep an outside forensics team on retainer, he adds.

Another problem with logs is knowing how much to collect, not just when there’s something unusual happening, but when everything seems to be going right. “Take a SQL injection attack in the body of a post request,” says Jeff Williams, CTO and cofounder at Contrast Security. “Most of that data is never logged. It’s not logged at the firewall or at the app server. It’s up to the application itself to log it, but from the application’s perspective, nothing really goes wrong.” So, the actual attack might never be logged anywhere, he says.

In addition to the various injection-style attacks, other attacks that can happen invisibly are authentication failures. “If someone unauthorized sees your password and logs into your account, the system doesn’t know that there’s an attack there,” Williams says. “If someone finds a way to exceed their privilege and take some action they weren’t authorized for, that typically doesn’t get logged.” Encryption problems are also almost never logged, he adds.

“Sometimes you won’t see hardly anything,” agrees Bob Anderson, principal at The Chertoff Group. Anderson spent 30 years in law enforcement and has recently been called in as an expert witness in several class action lawsuits, running into the hundreds of millions or billions of dollars. These lawsuits don’t make the news, he says, because the deals are kept confidential.

“I don’t think most companies understand how much this is going to cost them,” he says. “Even if you win, you’re going to spend tens of millions of dollars defending yourself.” If a company doesn’t have proper logging in place, Anderson adds, companies could see additional, and heavy, monetary sanctions in these class action lawsuits.

In addition to attacks that don’t register on the systems, where zero-days are used, or where the attackers deliberately erase their tracts, one common problem is that companies have logging systems in place but never turn them on. “A lot of companies don’t understand what software they’re running that automatically defaults to off,” Anderson says. “Even they they have logging systems, they don’t have the logs. This is a huge problem.”

3. Failure to spot the breach in a timely manner

The longer it takes a company to spot the breach, the more damage the attackers can do and the harder it becomes to assess that damage. “I used to work for a large chemical company, and when you had a breach, that is the first question you had to answer: What is the scope of this intrusion?” says Tim Bandos, VP of cybersecurity at Digital Guardian. “Identifying every endpoint that was involved is critical because the bad guy could leave back doors and other tools in place.”

Bandos says he was involved in one situation where over a hundred devices had been touched by a single breach. The longer the attackers stay in, the more sensitive information they can snag, the more malware they can install, and the harder it will be to disinfect all the systems.

“A company, once breached, cannot be sure the whole incident is over and no surprises lay ahead,” says Elad Shapira, head of research at Panorays, an Israel-based security firm. “If, say, your server is breached and you restore it back to normal, the breach will probably happen again if you don’t find and mitigate the root cause.”

There have been several high-profile incidents where attackers published stolen data, then released more data on subsequent occasions, Shapira says. They include the Anonymous attack on HGGary and the multiple times the Shadow Brokers Hacking Group released CIA documents. “In the case of a ransomware infection you cannot tell that after you paying up you won’t be targeted again, or even suffer further damages,” he adds.

According to the latest Verizon Data Breach Investigations Report, 68 percent of breaches took months or longer to discover. In fact, many companies don’t even find out about a breach until they’re notified by a third party, says Etheridge. For example, customer records could show up on the dark web, or stolen credit card numbers start being used for fraudulent transactions.

A well-rehearsed incident response plan is critical, and companies should consider using outside experts to help test the plan, and to do forensics once a breach occurs. “Even Fortune 500 companies have to call in external companies to help them with that,” says Mark Weatherford, SVP and chief cybersecurity strategist at vArmour and board member of the National Cybersecurity Center..

Those relationships should all be in place long before a breach occurs, Weatherford says. “The worst time to start looking through the phone book for someone to help you is in the middle of the incident.”

GDPR and other regulatory reporting requirements raise the stakes

Under Europe’s new General Data Protection Regulation (GDPR) that went into effect this past May, companies with European Union users have 72 hours after the breach occurred to report the scope of the breach. There’s no specific regulatory penalty for not discovering the breach in the first place, under either GDPR or US breach notification laws, but if the ignorance was willful or deliberate, then class action lawsuits may follow.

GDPR and new data privacy regulations in California are an opportunity for companies to rethink their data management strategies and build in systems from the ground up to track the location of data and monitor access to it. The regulations will also focus the attention of senior management and bring in necessary funding.

The ongoing digital transformation of companies also creates new possibilities. “The cloud is an opportunity to get it right,” says London Stock Exchange’s Asher. “So, for companies, large and small, I would suggest they think about the legacy they are creating for tomorrow, today.”