After a Breach, Forget the Who and Focus on the How and the What

Featured article by Pedro Abreu, Chief Strategy Officer, ForeScout Technologies, Inc.

The $400 million of estimated losses from the 700 million records compromised in 2014, detailed in Verizon’s 2015 Data Breach Investigations Report, sends a collective shudder down the spines of organizations’ C-suites and IT departments. If, after creating what seems like a foolproof security strategy, the organization suffers a breach, the focus of attention oftentimes goes not to how the breach occurred but to who did it. Money and reputation are about to be lost, and someone is to blame.

This is a natural human reaction, but when it comes to network breaches and data theft, it’s usually a waste of time. When your system is hacked, there are five questions that are more important to ask than who perpetrated the crime. First, “What was the means of entry?” Network visibility is essential here. If security managers have a real-time view of every connected device, every authorized user and every malware link clicked on, they have a better chance of pinpointing the incoming threats capable of causing damage.

Next, IT security teams should ask, “How can we fix it?” Repairing the damage is more important than ascribing blame, and speedy remediation is dependent on good visibility. The faster you can see and determine the size of the rip in your safety net, the faster it can be repaired. Companies have a clear fiscal incentive to minimize downtime, so this element is critical to running a business seamlessly.

The third question is, “What was stolen, and how much?” Finding this bit out can take a painfully long time. This is especially damaging when a data breach affects consumers. Quantifying the breach with speed and confidence causes an affected company less harm in the long run.

The critical next question to quickly find the answer to: “Are we still compromised?” After a breach has been detected, a lot of energy is put into stopping and assessing the extent of the impact.  However, without proper visibility, most companies are left wondering if they are still being breached – that is, whether the attackers left undiscovered back doors that will allow them back into the company’s systems later, when the incident response goes down.

Finally, once the smoke clears, ask, “What can we learn from this?” Security strategy must evolve intelligently, automatically and rapidly to ensure that the same infiltration tactic never works twice. Pragmatic, real-world defense depends not on making a network impenetrable, but on making it so challenging to crack that most attackers will eventually move on to easier targets.

In the long run, being able to collar the criminal and hold him or her up for display to shareholders and customers may feel good, but it’s usually not productive. The better course of action is to roll up your sleeves and do the complex work of sorting through the cyberrubble to find out how the breach occurred, whether it’s still occurring and how to keep it from happening again. Asking the five questions listed above is more time-consuming than merely asking who was to blame, but they zero in on the key information needed to mitigate and prevent cyberattacks.

About the Author:

Pedro has served as senior vice president and chief strategy officer of ForeScout since March 2015, where he is focused on advancing corporate strategy that bridges product development, sales and marketing. Prior to joining ForeScout, Pedro held several senior-level strategy and operations roles with Intel Security, EMC and McKinsey.

He earned an MBA from Haas School of Business at U.C. Berkeley, and a CS in Computer Sciences from Instituto Superior Técnico in Portugal.