Breaches Happen

Recently, a number of high profile data breaches have been in the news quite a bit. The general public is quickly becoming aware of something that security professionals have known for quite some time -- that compromises and breaches are going to happen. What separates good organizations from great organizations is really their preparedness and response during these types of high profile incidents.

Typically, immediately after an enterprise becomes aware of a data breach, several important, focused, and pointed questions will be asked of the security organization by the company's leadership, as well as the members of the company's legal and privacy organizations:

• How did this happen? 
• When did this begin?
• Is this activity still occurring?
• How many systems/brands/products have been affected?
• What sensitive, proprietary, and/or confidential/private data has been taken?
• What can be done to stop this activity/prevent it from happening again?

These questions are appropriately and pointedly aimed at assessing the damage, understanding the legal, privacy, and business ramifications of what has occurred, and formulating a plan to respond as required. The answers to these questions require hard facts that can only be found in the enterprises's network traffic data.

Given this, it is perhaps a bit surprising that when many organizations attempt to answer the above questions, they will find that they do not have the appropriate data in place to do so. There can be many reasons why this is the case, but chief among them are:

• Incomplete/partial instrumentation of the network (i.e., the required data is not being collected at all required points of presence to provide the appropriate answers)
• Inadequate data retention (i.e., the required data is not being retained sufficiently long enough to provide the appropriate answers)
• Inability to leverage the data for analysis (i.e., the required data may or may not be collected, but is retained in a system or systems that do not allow for it to be exploited analytically to provide the appropriate answers) 

People, process, and technology are said to be the elements upon which great organizations are built. When data breach response time comes, having the right people and the right processes in place is undoubtedly critical. Equally critical though is having the right platform in place that allows for both collection AND analysis, so that a great organization's people and process can shine and perform incident response properly.