We see breaches disclosed in the news media more and more often these days. It can have a less-than-ideal impact on concerned stakeholders at companies. This impact is often heightened if the breach is at an organization in your industry, is otherwise high-profile, in your local geography, or if the attackers leveraged vulnerabilities within software your organization may use. Far too often the response involves panicked department-wide emails demanding to know what we’re doing about ‘the latest breach in the news’ while several people drop any work they're doing to investigate or research it in an uncoordinated fashion and every security vendor or provider gets bombarded as well, whether relevant or not. I’m sure cybersecurity team members and vendors alike share my frustration when this happens. So...
In this post, I take you through my ‘pet peeve’ of why this isn’t an effective response to a headline, and why headlines shouldn’t dictate but rather inform your cybersecurity response. I offer advice about how the structure of your security program and regular updates about it can help to reduce the stress such stakeholders experience. I provide communication tips for IT and Security stakeholders to manage their ‘newly concerned news readers’ (such as, yes, senior leaders or board members), especially if your organization isn’t yet proactively communicating your cybersecurity efforts.
Finally, I discuss proactive steps you can take on your own when you do see a headline that is directed towards risk identification and mitigation (rather than fear-driven, tire-spinning action that often results otherwise). And, how an MDR provider like ours can help.
My pet peeve: the knee-jerk reaction
A concerned leader will see the news, and begin ‘running around like a chicken with its head cut off’ blindly seeking reassurance from IT stakeholders, security partners, and peers. Sound familiar? The fact is that a breach covered in the news (Solarwinds is a good recent example) may not directly impact you at all (if you didn’t use Solarwinds, for example). The other issue with the knee-jerk reaction is that it’s almost always based on incomplete information. These headlines get published long before the investigation (a lengthy and complicated process) is completed. With incomplete information, it can be tough to formulate a proper response and, in addition, it takes important resources away from their important ongoing efforts. This has an associated cost and impact on the teams affected so there should be a process in place, and staff clearly assigned to research or investigation tasks to prevent everyone from jumping on the bandwagon.
Understanding your cybersecurity posture goes a long way
A well architected, continually updated, and frequently communicated security program and policy helps to get in front of knee-jerk questions. Policies should be highly visible, and set the baseline across leadership and end-users alike. Need help starting? We have a free Acceptable Usage Policy (AUP) template that borders on an overarching infosec policy in scope. Have a look, it can serve as a great starting place. Next up, if you have a solid cybersecurity education program in place, it’s a good opportunity to plug what you’re addressing. Training and testing may not address the specific vulnerability or threat in the news, but should help convey that you are on top of things like these. Or, if you are impacted, then a test to exploit that avenue (ideally after you think you have patched) can help. Lastly, like any other department aiming to demonstrate progress, regular and proactive communications to management and staff alike are a great way to get in front of those knee-jerk reactions..
For more reactive communications
There are some simple questions you can ask yourself (as an IT or cybersecurity stakeholder) to get you exactly what you need to put “Headline inquiries” to rest. Note, some of them will dictate research or remediation efforts on your part; these can serve as a good follow-up communication once resolved.
Here’s what you need to know (or, start finding out), before you communicate:
- Are you vulnerable? Do you actually have this impacted technology? Do you have the particular version?
- Is there a patch available to remediate the vulnerability?
Spoiler alert, by the time something like this hits the news, there often is. And, according to the Verizon Breach Report, 60% of breaches in 2019 involved a vulnerability that there was a patch for, but hadn’t been applied.
- Is there a reason you CAN’T patch?
This is important to know so that you can explain, but also further efforts to upgrade or mitigate to get ahead of this sort of issue. It often occurs with Operational Technology that only works with an old operating system, or in-house developed software that is infrequently updated. Be prepared to understand the actual issue or exploit and how best the vendor recommends to mitigate it.
- Do you have the information, and capabilities, to look for an indicator of compromise based on this vulnerability?
If yes, you can proactively check to see whether you have been breached, and take action. If not, it might be time to further that security improvement cause again.
Where to turn for help
Many organizations are without the personnel or technology to conduct threat hunting, or are so bogged down with reactive incident response that they don’t have the time for the proactive vulnerability management, patching, and remediation of endpoint hygiene concerns that hackers use to bring about news-worthy breaches like these. If you are under-resourced, or looking to improve your cybersecurity, ActZero’s MDR service can help you detect and respond to cybersecurity breaches, both in and out of the news headlines. We leverage a synergistic combination of advanced Machine Learning models to enable machine-speed reactions, and threat hunters as the ‘humans on the loop.’ to be able to assess and take proactive action where needed.
For a deeper dive on the proactive efforts you can take on your own (including technical suggestions) check out my webinar on Breach Prevention and Impact Reduction. I cover incident response plans, software deployment and patching, how to address the email vector, software restriction policies, and a whole lot more.
Or, if you want to see how my threat hunting team can detect and respond to breaches stemming from vulnerabilities like these, check out a demo of our Managed Detection and Response service.