Monday, November 24, 2008

IR Preparedness

As a responder, I often hear two reasons for folks calling for help after a breach has occurred (aside from the rather obvious one, that is) - the caller either wants to be sure that they're performing "due diligence", or they're interested in bringing in a disinterested third party to have a look at things.

Every now and then when I get a chance to sit back and reflect, something strikes me. Most often those things were right there in front of me all along, and I just never noticed them. Things like these reasons that people give me.

Take for example the reason of "due diligence". It occurs to me that if someone were really interested in performing due diligence, they would've called me before the incident occurred, to ensure that they were prepared to handle an incident. Closing the barn door and shutting the stall doors after the horse has left is not "due diligence".

What about the "disinterested third party"? If you call a consulting company to come help you contain and recover from an incident, the fact that you're paying them obviates the "disinterested" part of the description, doesn't it?

Many times, folks at an organization looking for assistance after an incident has been detected will say that they want an outside firm to handle the examination in case the issue ends up going to court. But what's the real difference between the victim organization performing the investigation and an outside firm doing so? The outside firm most often has a documented process, or at the very least documents what they did in their report.

The primary reason that consulting companies are called when an incident occurs is that the organization was simply unprepared for an incident. Regardless of legislative or regulatory requirements, they're simply unprepared.

This is not to say that when an incident occurs, you should not call someone for assistance. Rather, I'm reiterating my response from the SANS Forensic Summit panel when Rob Lee asked the panel members about response time to a call...my response was that the best time to call someone for help is before an incident occurs. At the very least, you can protect your organization by demonstrating due diligence.

Costs of not being prepared
Fines - legislative/regulatory oversight often comes with some kind of fine
Notification - writing and mailing letters is going to cost time and money
Charges - 20,000 Visa credit card numbers are exposed...who's going to pay for the cost of reissuing all of those credit cards? You get three guesses, and none of the answers are "Visa" or "the card holder". And two of your guesses don't count.
Suits - Civil suits have been brought against organizations as a result of a breach; just defending yourself is expensive

Something very important to remember about regulatory requirements is that in many cases, unless you're able to definitively identify the data that was exposed, you may have to notify on ALL data that could potentially have been exposed. So, if the database containing 6 million records was compromised, and you were not prepared for an incident, and you think that only 23,000 records were exposed...but you don't know for sure...guess how many people you're going to have to notify? You get three guesses, and the first two don't count.

Benefits of Incident Preparedness
Compliance - with legislative and regulatory requirements
Lower overall cost - the upfront cost of doing nothing is...nothing; in the long run, however, costs mount.
Confidence - from your Board of Directors and the consumer (b/c you're demonstrating "due diligence")

As long as we use IT assets to conduct business, and as long a people are part of the process, there will always be a need for incident response. Incidents are always going to occur, without question. The difference today (and tomorrow) is if you're going to be prepared for an incident...or not.

No comments: