BTEX 2021 : Prepare, Respond and Recover from a Security Breach

More than four out of five organizations we surveyedin 2020 experienced a cybersecurity incident due to the poor security hygieneof a third-party partner, says Noor Bains, Senior Security SolutionsArchitect, CDW Canada, speaking at CDW's BTEX 2021 virtual event. Weunderstand that partners provide vital services. However, they also provideopportunities for malicious actors to circumvent even the best securitycontrols.

Bains suggests deploying an identity and accessmanagement solution, and well as having an identity and access managementprocess to ensure that vendors who require access to systems and data can beauthenticated and identified. This process should incorporate regular userattestation and enable the ability to grant removal of user access to data andsystems when it is no longer required. Access to data and systems should beenforced, allowing only the required access and visibility to perform thetasks.

The evolutionfrom cybersecurity to cyber resilience

The biggest difference in the security journey from2000 to 2020 is the approach that more organizations are leveraging, saysBains. Two decades ago, when we looked at cybersecurity, a firewall deploymentwould be considered job done. However, it has been more of a question of notwhen, but how an organization can be breached. Understanding how quickly we canidentify, contain and recover from a breach is essential.

Building cyber resilience is really important at thispoint, making sure that prepare, defend, respond is considered, and the cyclecontinues to not only understanding your cyber risk, deploy technologies, butalso being able to have the forensics teams, if there's a breach, be able tocontain the app and eradicate the threat.

What is theMITRE ATT&CK framework?

MITRE ATT&CK provides a common language fortactics and techniques across different environments. This enablesorganizations to map common and dangerous attack chains and ensure appropriateunderstanding, mitigations and detections are identified. Red teams leverage MITRE ATT&CK techniquesfor different types of scenarios, depending on the situation.

As an example, an attack scenario would becompromising a device using the Initial Access tactic, then jumping on to theUser Access tactic, from Privilege Escalation back to the Execution tactic withPowerShell.

The MITRE ATT&CK framework helps us to understandour adversaries in order to defend against them, says Bains. Cybersecuritypractitioners can map MITRE ATT&CK with security control threat predictionsto better protect their organizations.

MITRE ATT&CK also has attack assessments, whichcan be useful for security engineers and architects in justifying threat-basedsecurity improvements. Assessing how your defences currently stack up totechniques and adversaries in attacks, identify the highest-priority gaps inyour current coverage and modify your defences to acquire new ones to addressthose gaps.

It's very important to start small, says Bains, Selecting a single technique to focus on, determine your coverage for that technique and then make appropriate engineering tasks. Once you're familiar with this process, you can expand this analysis to a larger subset of attack tactics."

4 stages in asecurity incident response lifecycle

A cybersecurity response plan needs to empowerdecision-makers and provide mechanisms to keep them informed, says Bains. NIST Special Publication 800-61 Rev. 2 Computer Security Incident Handling Guide identifies the iterative processthat incident response efforts take. It describes everything from tacticaldecision making to higher levels of strategy, command and control.

The key stages in this incident response lifecycle arePreparation; Detection & Analysis; Containment, Eradication & Recoveryand Post-Incident Activity.

Preparation includes authorization, logistics, inventory and operations

Detection& Analysis includes type, extent and magnitude

• What do we need to know?
• How can we tell?
• What must we preserve and analyze?

Containment,Eradication & Recovery includes evidence, scope and the challenge ofattribution

Post-IncidentActivity review and improve your security posture

• What could have reduced dwell time?
• Did we anticipate this would have been exploited?
• What additional tools or resources are needed?

Each one of these steps should be tackled one at atime, says Bains. Understanding of scope is very important. We don't want tobe in the process of recovery and the attacker is still within the environment,and then you're back to Square One.

The CDWapproach: Prepare, defend and respond

The CDW approach to helping our customers improve theirsecurity posture is comparable to the NIST Cybersecurity Framework, says Bains.This can be broken down into three phases: Prepare, Defend and Respond.

The Prepare phase includes:

• Understanding risk
• Building an effective security program, including thetop security talent
• Understanding what are your crown jewels and dataflows to those crown jewels
• Threat risk assessments
• Gap assessments
• Third-party evaluations of vendors and partners

The Defend phase includes:

• Implementing defences
• Integrating leading technologies and making sure theyare deployed properly, according to the business use case
• Maximizing visibility
• Understanding control
• Making sure logs are properly logged in, andunderstanding how much time they're logged in for
• Monitoring critical business assets

The Respond phase includes:

• Being able to respond quickly to incidents
• Backup strategy for your critical assets
• Implementing an incident response plan
• Defining a threshold for your breach retainer, if youdon't have an in-house team
• Checking your cyberinsurance policy

The extent of damage a breach does is directlyrelated to the time it takes to recover from it, says Bains. Therecommendation we provide to customers is to have a protect, defend, respondmethodology.

To learn moreabout CDW's Prepare, Defend and Respond strategy, please visit CDW.ca/security. And besure to bookmark this page for more coverage of BTEX 2021.