Sunday, October 16, 2011

On Information Sharing... Most companies don't know they've been had!

I saw an interesting piece of text from Mandiant the other day. It was prepared for testimony (I'm presuming to Congress) discussing APT. It went something like this...


“More than 90 percent of the breaches Mandiant responds to are first detected by the government, not the victim companies.” (Kevin Mandia, CEO of cyber security firm Mandiant Corp., in prepared testimony).

Dozens (probably more) examples prove this statement. Search the news. Generally companies fall into two main categories when they find out.. denial, or they fight. Denial rarely works, and fighting it results in rapid escalation. Regardless, your business is in danger.

So what's a company to do? Start thinking strategically. Come up with a plan for mitigating current badness already in the environment, WHILE maintaining business operations, AND planning for future strategies for minimizing or mitigating future attacks, AND ensuring you'll be able to operate in your new-found understanding that your networks are now untrusted.

This is where we start thinking about steps two and three in my previous post...

2.  Build solid process (for operation and incident response). Pick a model and stick to it.
3.  At this point you MUST start talking to your peers, and others. You wouldn't try and sell a product without knowing what your competitors (peers) are selling (what sells, and what doesn't). Why would you try and implement strategy without knowing how well your chosen processes will work (what works and what doesn't, before you spend any money!).

For now, start looking around... there are lots of public sources of information.. SANS, NCFTA, FIRST, and a newcomer, RedSkyAlliance.org. From a government assistance perspective DHS/US-CERT.

Be prepared. It's not a question of 'if', or 'when'. It's 'what are you going to do when someone tells you there's a problem?'

More next time.
JS

No comments: