Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

By Paul Brennecker, Principal Security Consultant and Lead QSA

Paul Brennecker gave a presentation at PCI London on 5th July 2018 and this article first appeared in that event’s publication. 

All too often the engagement of a Forensic Investigator is a distress purchase, made at a time of crisis when a breach has already occurred. Yet, waiting until there is a full blown emergency means organisations are missing out on the added value that specialist Retained Forensics professionals can bring.

Forensic Investigators don’t just operate in a crisis. When engaged to provide a Retained service, they can also help to develop a resilient defence strategy. This combines developing and delivering a full strategic cyber defence plan with Incident Response management. Their strategic guidance and practical knowledge enables them to help organisations reduce the level of impact while also meeting legal and regulatory responsibilities in the event of a breach.

In the event of a breach being reported, the Information Commissioner’s Office has made clear that it will look at the level of security in place, as well as the Incident Response strategy when considering the fines it will impose.

With forward planning it is possible to ensure that you get the maximum return for your investment and also secure the service that is best for your business. In business terms, a distress purchase is defined as a purchase made at some critical point, usually during a failure of other unplanned event. This is like buying a plastic cape when caught out in heavy rain: it is unlikely to be the best waterproof nor the best value for money but the purchase was forced by extreme circumstances. Similarly, that present bought in the late afternoon on Christmas Eve may turn out to be the most expensive gift ever purchased.

In today’s cyber security landscape such critical points come, not surprisingly, when least expected. No one can know when a breach or a security incident will take place. One day you are blissfully unaware of its existence; the next you are in a state of crisis with much to do in a very short period of time. This is particularly the case under the terms of GDPR which requires data breaches to be reported within 72 hours. GDPR also requires that you implement robust breach detection, investigation and internal reporting procedures.

One of the first tasks is to secure and contain the breach – a specialist job which can be time consuming and confusing – and for this an industry specialist must be appointed. There are not a vast number of suppliers to speak to. For example, when it comes to a PCI data breach, there are only eight companies in the UK which hold the necessary certifications required by the acquiring banks.

A cyber mature organisation knows that it is not enough to simply be reactive, however. Their aim is to anticipate the critical point and to scope, develop and implement a company-wide cyber security strategy which is constantly challenged and re-enforced. This type of strategic plan will help to ensure effective business continuity and protect from loss of income and reputation.

Working with a Retained Forensics specialist facilitates this strategic approach; from analysing potential weaknesses, to making detailed plans in the event of a breach. This is done in a number of ways, including through the process of Test and Exercise, starting with automated penetration testing to identify potential vulnerabilities. Manual testing is then employed to exploit and develop these weaknesses so the gaps can be plugged. The synergy of these tests provides valuable intelligence about where existing vulnerabilities lie and helps a business to build a robust defence around them.

The world of cybercrime does not stand still, however, and so defences must be continually reviewed and challenged to ensure they are as up to date as possible. So, although PCI compliance for example, is a vital annual check, it does not claim to guarantee that adequate defences are in place all year round. A more resilient strategy therefore uses a regular Test and Exercise programme to keep the process agile and responsive.

Where it is advisable to go a level deeper, organisations can also consider Red Team engagement. Red Teaming is where highly skilled and trained ethical hackers get into the mind-set of a potential adversary, using a range of tools and strategies. This enables organisations not only to identify where a potential attack might take place but also builds in a level of resilience by identifying where potential future vulnerabilities may lie.

The mature organisation works with Retained Forensics to scope the requirements of their business, making it possible to manage the whole process in a timely and cost-effective manner. While building a robust defence is a priority, making detailed plans for how to handle a crisis is equally important. It is perhaps counter-intuitive to plan for a successful attack, but the maxim ‘expect the best but plan for the worst’ is sound advice. Knowing how to react in the unfortunate event of a data breach is a crucial business benefit. An experienced Retained Forensics company will be able to assist you with your plans and help to stage an event, to get everyone into the right mind-set. If the worst does happen, then staff will have a framework to refer to, ensuring that vital steps are taken and time is not lost.

A Retained Forensics team will also undertake the preparation and testing of Incident Response, Business Continuity and Disaster Recovery plans to ensure they are up to date and ready to swing into play at the first sign of an incident. Not only will they have a detailed knowledge of an organisation’s systems and networks, they will have helped to set up breach notification protocols and mitigation strategies; all of which will already be in line with the requirements of GDPR. In this way any damage and disruption will be swiftly minimised and mediated.

Given the benefits of engaging a Retained Forensics service, it is perhaps surprising that some still overlook it, simply engaging a Forensic Investigator when compelled to in the event of a breach. The reason for this is perhaps that the challenge of managing third parties to achieve and maintain the various data standards and compliance is ever increasing, meaning that the procurement of services to assist in the event of a data breach is often overlooked.

Those who plan for the worst while hoping for the best, however, reap significant benefits and have the time to engage with a professional Retained Forensics service before a crisis occurs. By planning ahead, they ensure that they get the maximum return for their outlay and also secure the service that is the best for their business.

Posted 4 months ago on · Permalink