Into the Breach

Although emergency personnel usually come to mind when thinking of first responders, cybersecurity experts often have to deal with stressed out and panicked victims when they first arrive. CSO Online talked to several cybersecurity experts about how they keep calm and carry on with clients.

“The first step is definitely supporting the customer who is reporting the incident - in order to avoid panic,” Dario Forte, founder and CEO of DF Labs in Crema, Italy, told CSO Online.

“The CISOs we usually talk with have four priority questions to answer about incident response,” said Forte. The four questions, according to Forte, are:

What is happening?

How can I prioritize my response?

How can I contain the damage?

Has this occurred elsewhere?

“The answers to these questions can be given only by a structured approach, where a well prepared Incident Management Team can orchestrate the investigation and response, sharing the artifacts with their trusted peers in order to reduce the reaction time,” Forte told CSO Online.

The next step, said Forte, is to determine the scope and what measures the company may have taken, as well as its capacity to manage the breach. A conference call no more than 45 minutes after the initial call is crucial, said Forte. “This phase is fundamental as it gives us an immediate sense of which information is available for investigation and/or helping the customer to avoid any mistake in evidence handling. The latter is the most common cause of failure in the investigation and in response to the incident,” he said.

“When a client discovers they’ve had a breach, there is often a mistaken assumption that the scope of the breach is fairly static,” Brian Minick, CEO at Morphick, a Cincinnati-based cybersecurity firm told CSO Online. “In reality, the intrusion usually starts weeks or months before detection, and the intruder likely has broad access to the client's network and can move around it quickly.”

Ondrej Krehel, managing director and founder at LIFARS, LLC, a digital forensics and cybersecurity intelligence firm, treats a cyberbreach as a crime scene, according to CSO Online.

“We holistically examine the situation to address the incident. This includes initial damage assessment, initial vector of compromise, indicators of compromise, preservation of forensic artifacts, and further forensic analysis of information collected,” Krehel told CSO Online.



For CSO Online’s top 10 mistakes that companies make after a data breach, click HERE: