You’ve Suffered a Breach … Now What?

Gerhard Jacobs of Exabeam explains the best incident response steps an organisation can take when a breach is detected.


“You’ve been breached.”


A threat actor’s exploit succeeded, and your organisation’s network has been breached. Now what?


Post-breach leadership is arguably the most challenging part of a CISO’s job today. Spearheading post-breach action and recovery is the ultimate test of a security leader’s skills and confidence. In recent episodes of our New CISO Podcast, we talked with seasoned security pros Dave Damato, CSO at Gemini, Sandro Bucchianeri, CSO with the Absa group, and Charlie McNerney, chief information officer for Expedia Group, to gather post-breach insight and advice for the modern CISO.


Rely on more than just a plan


For many organisations, cyberattacks and breaches seem almost accepted inevitabilities of modern business. All modern companies are tech companies, and nobody gets a pass. As Charlie McNerney explains: “Every company is a tech company today. There’s data, transactions, computer storage. Nobody is immune — from hearing about all the various impacts around the globe concerning hackers and account takeovers.”


Considering the prevalence of breaches, a cyber incident response plan is undoubtedly a must for all organisations today. But is that alone enough?


Preparing for successful post-breach action involves significant planning well ahead of the incident. The right team and architecture must be in place, and this requires the planning and guidance of a dedicated CISO. Dave Damato discusses the critical role of planning, “The planning starts way before a breach, and it’s around architecture. It’s about how you structure your team. It’s around the type of activities and exercises you perform. From an architecture perspective, it’s how you’ve planned your logging system. What are you logging? What data do you have? That’s going to be the key source of information when you try and go back and figure out what happened.”


Foster a culture of learning, not blame


The moments, days, and months after a breach require collaboration and cooperation at the highest level. Post-breach security teams face incredible amounts of work on short schedules, prioritizing returning the organisation to a safe state and preventing a similar event from occurring in the future. Often, years of work must be completed in a few months. Teams must unify, learning from mistakes as a cohesive unit rather than hiding shortcomings and placing individual blame.


This essential post-breach mindset of cooperation and learning starts with the culture created by your security leaders. Nobody wants a breach, but when one happens, better leaders see it as an opportunity to grow and improve individual skill sets and tools. As a CISO, this means reframing mistakes as learning opportunities rather than reasons to cover up or point a finger. Damato explains the two divergent leadership camp philosophies, “The better leaders say, ‘Hey, this is my opportunity to learn, grow, get the budget, and build the team I want, versus the leaders who are like, how do we bury this’?”


Remediation playbook


Breach remediation is where today’s security leaders earn every bit of their salary — and then some.


Breach control and remediation should begin immediately, with security leaders focusing the team’s efforts on controlling the attack’s spread using access control and segmentation techniques. “If you can limit network access controls, it’s a huge boundary to limit the size and scope of a breach. Two-factor authentication can provide a huge advantage also. And I was just shocked, especially early in the decade, how few organisations factored these in. If you were to implement controls around those two areas, it should mitigate the risk of large-scale compromise significantly”, explains Damato.


Also, minimizing the dwell time an attacker operates within your network can be critical for damage control. Sandro Bucchianeri weighs in, “Dwell time is significant. It’s the time an attacker gets into your network to the time that you discover them. It basically measures, is your program working? Four or five years ago, it was in months, now I think it’s in weeks.”


Remediation typically lasts up to two or three months, but the first 48 hours post-breach is the most critical period where a CISO must lead with swift, decisive action to drive collaboration. Today’s CISOs must confidently augment the mission, call up crisis teams, repurpose staff and resources and oversee all immediate efforts, including internet disconnection, password resets, and the implementation of controls limiting lateral movement, network access, and dwell time.


Communicate with emotion and consistency


As a security leader, when your organisation suffers a breach, you will need to inform law enforcement, upper management, and the public as soon as possible. Keep in mind how your team presents the news of a breach may be just as important as the key facts. CISOs must strike a delicate balance with disclosure — enough information to be transparent, but not enough to confuse or alarm management or the public.


Unfortunately, too many breach announcements are generic and say little. According to Dave Damato, disclosing a breach is an opportunity to let your organisation’s unique culture, feeling, and emotion shine through. “Every single breach notification I see begins with we take security very seriously. They all have a very generic tone and feel. I think it’s important that security organisations have a culture that represents their genuine nature when communicating externally about a breach. There should be some feeling and emotion to it.”


It takes special skills to deliver a breach announcement, and whoever represents your organisation should be a well-trained communicator who is prepared and polished with the poise to handle tough questions on their feet.


So, what should the modern CISO keep in mind when tackling the challenge of announcing a security breach?


“If you look at the great breaches over time, things have been handled well. They come from specific people in the organisation and are well planned, rehearsed, and consistent,” says Damato.


There is no doubt breaches try a team’s every skill and resource, but successful CISOs can see opportunity amidst the chaos. Post-breach remediation and recovery are where the strongest leaders rise — demonstrating by example the unity and cooperation necessary to accomplish in months what usually takes years.