%402x.png)
What does ‘good’ look like when it comes to detecting and remediating security violations?
The priority for InfoSec teams is to stop a data breach taking place or a data leak to happen or worsen. But what happens if they don’t succeed?
This is an increasing reality. The tightly integrated nature of today’s technology systems, the evolving tactics of well-resourced hackers, and the mere fact that security is now reliant on the compliance of more employees than ever means that breaches & leaks are becoming a case of ‘when’, not ‘if’. Consequently, organisations must track their ability to react; in other words, how fast can they detect a leak or a breach, and mitigate their consequences.
The first job is to understand what constitutes a data leak vs a data breach, so you know what you’re looking for.
The literal definitions are straightforward. A data breach has occurred when sensitive and confidential information is accessed by someone without permission, as a result of their persistence in trying to compromise a company's sensitive resources—it involves an attack of some kind.
A data leak on the other hand is not malicious, rather accidental, and is usually caused by an unintentional exposure—sometimes it's just someone finding a vulnerability that was already there, and may have actually existed for a very long time. It gets blurrier when someone shares sensitive data willingly (seeing it as required for their job, with it being the mere normal course of operations), sometimes with partners and external parties, but in a way that will eventually put this information at risk: it's perhaps sharing it with everyone having the link, instead of just specific parties, or with permanent instead of temporary access. Or perhaps even posting a database password to a Slack channel for immediate use... but which ends up remaining there until the end of times, ready for a malicious person to make use of it.
This raises all sorts of questions. Each organisation should have their own definitions and thresholds. Likewise, they also need their own set of targets for detecting and remediating intrusions; as well as spotting leaks before they get exploited by a malicious party. Some of these will be driven internally—think risk appetite, security capabilities, scale and variety of IT environment, and SLAs with customers, partners and suppliers. Other factors will be external, such as regulatory compliance.
What’s more, an organisation may want different targets for different sorts of incidents and infringements. Breaches of highly sensitive and valuable information should be dealt with urgently. So too malware or DoS attacks, where the ramifications spread and grow with every passing minute. Data leaks may initially seem to pose less immediate danger—for example, an employee mistakenly sharing non-classified information—but nonetheless must be dealt with in a timely manner to avoid similar incidents happening again. If the company's cybersecurity culture is weak and does close to nothing to prevent employees from sharing sensitive information (in SaaS applications for instance), it's just a sword of Damocles constantly hanging above your head.
Despite these loose parameters, there are some broad standards that InfoSec executives can use to define the right detection and remediation targets for their organisation.
So what does good look like? Here are some statistics that InfoSec should arm their strategies with.
Setting targets is one thing; meeting them is another. Increasingly, automation is the key. Security automation software & sensitive risk cloud detection can look across your entire user base and surface area––to map sensitive data, alert you to data breaches as they happen, and trigger remedial measures in real-time.
Get in touch today for a chat with our team and a demo of our product, or join our live webinar on April 20 about Cybersecurity Education and Enabling the 'Human Firewall', with the CISOs from Lemonade and tZERO Group.
