Upload
nicolasv
View
224
Download
1
Embed Size (px)
Citation preview
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 1/12
Brochure
Executive breach
response playbookHow to successfully navigate the enterprise through a serious data breach
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 2/12
2
Brochure | Executive breach response playbook
Introduction
No matter how eective the technical response to an enterprise data breach, it ’s the executive
suite that drives the public’s perception in times of crisis. In fact , it is the executive team’sleadership that will help guide the entire enterprise response after the breach—which could
last for days, weeks, months, and even years depending on lawsuits and regulatory response.
Although it’s never easy to respond to something as challenging as a publicly disclosed data
breach, it can be done if the executive team gets the information they need in time. That is, if
the technical information is accurate and comprehensive enough to make eective decisions,
and all of the communication channels are in place and ready. Sounds straightforward, but it’s
not always. It takes executive leadership to make sure the resources and the plans are in place
to execute well. And it takes considerable practice. This playbook will help get you there.
In most organizations, senior leadership, including the CEO, are seriously underprepared for the
job. A recently HP-commissioned survey from the Ponemon Institute, “The Importance of Senio
Executive Involvement in Breach Response,” shows how systemic the challenge is at most
organizations: A startling 57% of CEOs have not been trained on what to do after a data breach,and more than 70% of executives think that their organization only partially understands the
information risks they’re exposed to.
There’s a serious disconnect here. According to the Ponemon Institute report, The Importance
of Senior Executive Involvement in Breach Response, senior executives know that their
involvement in the incident response process is critical to success—but they don’t believe
that they are accountable for data breaches. In this report’s survey, 79% of respondents say
executive-level involvement is necessary to achieve a successful data breach response, while
70% believe board-level oversight is also crucial. Unfortunately, the same survey found that
only 47% are up to date on their internal data breach response processes, and only 45% think
they are actually accountable.
Perhaps most troubling is that only 44% believe that their own enterprise’s incident response
process is either proactive or mature.
Many great resources are available that are geared toward the technical response that
organizations must perform when faced with a data breach incident; however, little has been
written on how the executive team should prepare to respond. The goal of this paper is to help
ll that gap and provide executive leadership with the ideas and tools they need.
Perception. Priorities. Protection.
Executive team to-do list
• Prepare a data breach response plan.
• Ensure the executive team can execute it.
• Have a solid understanding of the situation.
• Know what is at risk.
• Plan responses and processes for all
constituencies.
Figure 1. How prepared is your organization to deal with data breach?
4%
17%
33%31%
15%
35%
30%
25%
20%
15%
10%
5%
0%
Level 1 Level 5Level 2 Level 3 Level 4
Level of readine ss: From 1 (low) to 5 (high)
Source: Ponemon Institute “The Impor tance of Senior Executi ve Involvement in Breach Response” September 2014.
As gure 1 shows, senior executives believe the
current state of breach preparedness is more
reactive (immature) than proactive.
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 3/12
3
The importance of establishing a game plan
Many enterprises are already breached, and they don’t realize it. Look at many of the recent and
widely publicized data breaches. These organizations had been inltrated for months, with data
being continuously stolen, before the successful attacks were identied. There’s no avoiding it.
The probability is that you will be breached, and not once or twice but multiple times over the
upcoming years.
Without an executive data breach response plan that is designed to work in tandem withyour organization’s more technical digital investigations and response plans, any data breach
incident can go from bad to worse very quickly—especially when it comes to maintaining the
trust and condence of your customers, partners, and shareholders. In fact, if the executive
team does not plan for the data breach—and be able to execute that plan—it is, in eect,
planning to fail in its ability to react swift ly to the legal, regulatory, customer, employee, and
shareholder fallout.
The risks associated with executive missteps during the days after a data breach disclosure
are not unlike responding to any other type of disaster. The team needs to have a solid
understanding of the situation, know what is at risk, and be able to speak to each constituency.
Many executive-level risks are associated with data breaches. For instance, your team needs to
know whether to announce the data breach and when the timing is right to do so. There’s risk in
waiting too long to tell the public—both from regulators’ and public backlash— and there’s also
serious risk associated with announcing too soon. If the right processes are not in place and theexecutive team doesn’t understand the nature of the breach, the known facts can change, and
public statements will have to be altered accordingly. Not good.
Conversely, knowing how to talk with the technical teams and understanding the potential
business impact and the technical cause can help you execute the right course of action. That
course assures employees, customers, and shareholders that the enterprise can—and will—
safely navigate through with minimal costs or impact to delivery of customer services.
Additionally, public disclosures of certain types of data breaches are becoming mandatory. In
the United States, nearly every state has a data breach notication law regarding personally
identiable nancial account information involving its citizens. The E.U. is working on its own
data breach notication requirements under the ePrivacy Directive. There are also data breach
notication laws and guidance that involve disclosing patient health data and even for publicly
traded companies, should a breach involve data that could aect revenue.
That’s why it is critical to have your executive data breach response playbook in place. Because
in the event of a data breach emergency, such as the triggering of any of the regulatory
mandated responses above, you need to know precisely what to do and who your key
players are. If you don’t have this in place and ready to go ahead of time, you waste valuable
time—the vital time needed during a crisis—and are forced to build the plan on the y, which
exponentially raises the danger of highly public missteps.
For all of these reasons, having your executive data breach response plan in place will provide
the means for successful leadership through crises.
Brochure | Executive breach response playbook
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 4/12
4
Brochure | Executive breach response playbook
Successful leadership through the breach
Although most of the conversation centering around data breaches today focuses on the technica
enablement of the breaches, there’s always much more to it than that—especially when a
breach involves signicant or sensitive data. The type of data and their quantity are important.
In fact, there are many other considerations. More often than not, there is a criminal
investigation, an e-discovery process, and countless other pressing media, employee,
shareholder, and especially customer considerations.
Each constituency has dierent immediate needs. While law enforcement is going to want to
keep breach details and anything relating to its investigation quiet, the media will want to know
details and will push hard for them. Industry and government regulators are going to havequestions of their own. The call center is going to need to know what information to provide
customers to help keep them calm and even take measures to protect their identity if necessary.
Legal will want to be t ightlipped, too, while your PR teams will want to be more communicative.
They have good reason, too; media reaction is crucial. And shareholders are going to eagerly
await news of any potential impact on earnings. It’s a ne needle you are going to have to
thread, because each constituent’s concerns and needs are real and will have to be met
properly and at the right time.
One of the most important things that hav ing the response plan in place does for your
organization is enable executives to focus on these messages. That surely beats being reactive
and forced to assemble the team, carve out responsibilities, lines of communication, and
various plans of action. With the plan in place and everyone knowing what to do, executives
can speak to employees, shareholders, and customers with the necessary condence that thesituation is under control. This will greatly help you avoid potential missteps that hurt trust and
condence in the organization.
Remember that employees, partners, shareholders, and customers will be looking at how
executives are going to respond: Have they taken ownership of the situation, what are they
going to do about it, what actually happened, and how will it be resolved?
Basically, what the world is looking for is leadership. And this is just as true in a data breach as
any other type of emergency or crisis.
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 5/12
5
Into the breach: Scenario exercise ideas
Data breach situations can unfold in countless ways, and conditions similar to the scenarios that
follow can occur in any organization. They show how small missteps can potentially grow into
big public mishaps.
Take a look at these scenarios. Then ask yourself how prepared your organization is to respond,
what processes you have in place to respond, and how well other team members would be prepared.
Breach scenario #1: A large national retailer ’s point-of-sale (POS) system is breached,
with millions of credit cards stolen
It all started simply enough. A virtual server crashed. It was only by luck that an observant
administrator noticed something strange within the error code. Eventually, the related logs
and an image of the virtual server made it to an internal security analyst, who identied the
problem: A small, mysterious piece of software was actually an exploit designed to breach an
inventory system that was connected to the retailer’s national POS network.
If credit card data les were breached, it would require a public disclosure. The breach was
too close to credit card data for comfort, and the preliminary forensics examination couldn’t
determine if the attack was successful. Also, the potential credit card breach couldn’t have come
at a worse time. A string of retail breaches had just been announced over the holiday period.
Tens of millions of people had been aected. As a result, the retailer’s credit card security was
all over the news. The press was not going to let go of this story.
Days later, the investigation into the log les still had not provided as clear a picture as the
digital forensics and incident response team would have liked. But it was determined that the
initial breach occurred at least three years ago.
The good news is that the most recent attack activity was thwarted. The bad news is that
although the complete attack trail isn’t clear, the attackers did manage to access the POS
system and capture credit card payment data as it was being processed. It was not known what
other data may have been aected.
The appropriate law enforcement agencies will be notied soon. Now the executive team must
prepare for the public announcement to customers and shareholders. And they must give
employees the information they need to service customers and answer their questions in a way
that keeps morale high. In the meantime, the digital investigation teams will keep digging formore details and facts that can be established.
Breach scenario #2: Contract manufacturer discovers its proprietary processes and
customer intellectual property stolen
An international contract manufacturer noticed an overseas competitor was producing product
in a way that precisely resembled its own. An analysis conrmed that the competitor was using
certain plans and even software code identical to what it was producing. If that wasn’t bad
enough, the intellectual property of several of its customers had also been stolen somehow. If
the situation isn’t handled properly, the manufacturer could be forced out of business.
Following a signicant investigation, it became apparent that a disgruntled employee had
walked out with proprietary information on a ash drive. An investigation into the type of data
stolen, who had access to that scope of information, and other fac tors narrowed the list of
potential thieves to a few. When examining a number of employee laptops, it became clearwhich laptop was used. Data from multiple servers were copied to the notebook’s drive and
subsequently copied to a USB ash drive. Customers would have to be notied—and so would
shareholders. A breach of this magnitude could drive away customers—current and future—
and signicantly impact revenue.
Brochure | Executive breach response playbook
Are you prepared to respond?
You discover that your proprietary processes and
customer IP were stolen.
Are you prepared to respond?
Your POS system is breached and millions of credit
cards stolen.
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 6/12
6
Breach scenario #3: Regional hospital awakes to data breach nightmare
The scenario begins when the director of communications reports that a journalist f rom one
of the weekly business magazines called to say a large le of patient records has been posted
somewhere online.
The news hit fast and spread wide. Thousands of records were dumped in a popular le-sharing
site: Patient names, contact information, and insurance information were in one set of les;
patients’ prescription histories and some doctor visit information in another.
It’s a PR nightmare, but one that happens all too often—before there’s a chance for an
investigation to even get underway. How did the breach occur? What can be said to patients whose
information was leaked, as well as those who have not been aected? What will the regulatory
fallout be? The team needs to be assembled, and answers need to be uncovered—quickly.
Any conversation with the media would have to be punted until more details were known.
Meanwhile, regulators called, wanting to know details about the incident. But the hospital
can’t answer much more than verify that the data les appear to be authentic and from their
organization. The next call was to law enforcement.
In the hours and days that followed, the source of the breach was identied as being the result a
web server inltration. The decisions and steps made in the upcoming days will have a profound
impact on how regulators react, as well as the trust that is saved or lost in the eyes of patients.
The next section can help you determine how your organization would respond. You’ll be able
to identify any gaps in your process and how you should remedy them if a publicly reportable
breach occurs.
Building an efective executive data breach response plan
Much of the discussion about data breach response commonly focuses on the technical
response. The executive data breach plan centers on what is known to have happened
technically and what this damage will mean from a business perspective, and then eectively
managing any negative impact and putting forward the best public response possible.
This requires that good processes and communication be in place, along with the ability to
eectively execute the plan.
You need to assemble a core team of executive leaders to help manage the response. In
many cases, it would be the same team charged with managing a business continuity plan
in the face of any type of disaster. Although many other types of disasters may be managed
by your chief operating ocer or equivalent, your CISO or CIO would manage the incident
internally since this is a data breach. These executives know (or should know) where critical and
regulated data resides and what systems manage these data and processes. Dealing with the
executive data breach is the same as if they’d owned the IT recovery should a hurricane or other
disaster disrupt IT systems. This puts CISOs in the best position to manage the technical, legal,
regulatory, and executive teams.
Brochure | Executive breach response playbook
Monitor/detect
Triage Respond Incidentclosing
Lessonslearned
Figure 2. Process and technique eciency improvement framework
Are you prepared to respond?
A large le of patient records from your hospital
was posted online.
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 7/12
7
Although the CISO or CSO owns the internal response, it typically is the CEO and executive
leadership that set the tone for the public response. To succeed, you’ll need a cross-functional
team that is comfortable working together. Usually this is a senior team that includes general
counsel, internal audit, human resources, and corporate communications. They all need to be
working in concert.
Here’s the plan that must be in place and always ready to be put into action should a breach
disclosure become necessary:
Continuous monitoring and detection—Your IT and security teams are always on the lookout
for bad things to happen. IT security-related events are detected from many dierent internal
and external sources—and early detection is the key to identifying and responding to an issue
not only quickly, but eectively. For executives, it’s important that when a breach that will require
a public disclosure is detected, the proper executives and internal resources must be notied.
The triage phase—This phase is intended to quickly analyze all available information so
that security events can be categorized and correlated. This way the organization can most
accurately determine the severity and prioritization of events, and assign the event to the
proper team(s) for remediation and response. Triage also provides a single point of contact for
answering technical questions that arise. The triage process is instrumental for coordinating the
technical response groups and creating your nal response plan.
The respond phase—The respond phase includes the steps taken to address, resolve, or
mitigate an incident. During this phase, you will need an incident coordinator who will conduct
overall response and direction. There are four classes of responses required for an incident:
• Technical response. The technical response is designed to focus on the actions the technical
sta takes to analyze and resolve an event or incident. Technical sta includes the IT groups
required to assist with remediation of the event or incident. This phase can involve several
groups or departments within the IT organization to coordinate and provide technical actions
to contain, resolve, or mitigate incidents as well as the actions needed to repair and recover, if
necessary, aected systems or data.
• Management response. The management response highlights activities that require some
type of management intervention, notication, interaction, escalation, or approval as part of
any response. It may include coordinating with corporate communications as it relates to any
human resources, public relations, nancial accounting, audits, and compliance issues.
• Communications response. These are activities that require some measure of communicationsto the corporation and internal and external constituents. Corporate communications should
always be consulted prior to any communications being released. In many cases, management
will direct the release of breach information. This includes issues related to any human
resources, public relations, nancial accounting, audits, and compliance issues.
• Legal response. The legal response, if required, would work with outside regulators,
third parties, and other parties. In addition, their input would be required for any external
communications to assure that such communication is in accordance to company policy and
supports any statutory or regulatory requirements.
Incident closing—After the incident has been contained, eradicated, or mitigated, it is critical
that your organization complete the collection of all of the information they can about the
incident and conduct an after-incident report. During the incident closing process, the incident
team must take steps to properly nalize all documentation, including all analytics and nal
reports. Additionally, the incident team must take every precaution to preserve all informationobtained as part of this process using proper chain-of-evidence procedures, because this
information may be required in certain legal responses.
After this close-out process is complete, the incident coordinator will conduct a lessons-learned
session to identify eciency improvements in either processes or techniques used for remediation.
Brochure | Executive breach response playbook
The phases of the plan
• Monitoring and detection
• Triage
• Respond
• Incident closing
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 8/12
8
The data breach communications plan: Break glass in caseof emergency
The prospect of a data breach crisis is itself a crisis. And when it comes to your external
response, the communications plan is essential. In fact , the legacy of the crisis—how people
will remember the incident—won’t be the technical details or how awlessly your teams did or
didn’t execute the plan internally. It will be how well, or poorly, the company communicated this
response externally.
After the data breach is conrmed and it’s a publicly reportable event, crisis communications
teams need to assess the situation, gain a solid understanding of the critical conditions, review
the plan of action and adjust as necessary based on facts of the incident, then communicate
publicly. Even as the event unfolds, the response must be continuously evaluated regarding
how well the plan is going—or not going.
When the incident is underway, gather all of the facts that you can: What type of data? How
many records? What was the cause? When did it happen? Is the situation rectied? If not yet,
when will it be? And what steps are underway to bring about the best resolution possible?
Of course, if the breach is sizable, you will have to assemble the core breach response team,
which consists of senior IT leadership, legal, communications, and others.
You will have to share the story (what you can, at rst) with the outside world—what happened,how the breach will aect them (such as the need to change passwords, protect themselves
against identity theft, change credit card numbers), and how you are managing the situation.
The negative side of the story is what happened and what risk has been created. The positive
aspect of the story is what is being done to resolve the situation and to mitigate its impact. To
the outside world, you want to focus as much as possible on what steps are in place to x what
has been broken.
This means the majority of what you communicate will be about your mitigation eorts, and
what steps will be and have been taken to make sure it doesn’t happen again.
This is why your plan is so important: All the steps you can take, or the steps you need to decide
whether or not to take, must be determined in advance.
Brochure | Executive breach response playbook
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 9/12
9
Respond efectively when breaches happen
When it comes to security breaches, it’s not a matter of if but when they will occur. What
separates enterprises when it comes to publicly reportable breaches are how the enterprise
responds—their ability to identify what happened and why, rapidly respond to stop the attack,
and communicate to employees, partners, shareholders, and customers in a way that maintains
and even builds trust.
HP helps organizations to establish the processes they need for optimal breach management.We rapidly deploy a highly skilled and experienced information security team and
comprehensive security technology to help enterprises establish visibility, remediate issues,
and put tactics into place that guard against future incidents.
Forensic readiness: We can help you create a proactive plan to help your teams identify valid
and malicious changes and produce the best possible digital evidence in the event of security
incidents. This minimizes disruption and maximizes the technical information you need to make
the best post-breach decisions possible.
Security incident and breach response: Expert monitoring is always available, providing
detection and countermeasures through rapid, predetermined incident response. In the event o
a breach, HP will dispatch a team of security experts on location to immediately contain the breach.
We also help assess, investigate, and provide recommendations to reduce future vulnerability.
E-disclosure: Following an incident, you’ll need accurate data capture, logging, and audit trail
reporting for use in legal and regulatory investigations. Our specialists, many of whom have law
enforcement experience, will help you through this collection process.
Data recovery: One of the most challenging parts of a breach can be data recovery. Mitigate
data loss or deletion consequences by designing and implementing processes for backup and
recovery. Our experienced security services teams are on call 24x7 to act as your vir tual team or
as an extension to your team to get you back in business.
When a data breach occurs, HP will rapidly deploy an expert and experienced information
security team so you gain swift visibility into the incident, and you can respond condently
to the marketplace and all of your constituents in a way that maintains trust . And, just as
important, we can help you put into place tactics and technologies that will greatly reduce the
risks of future incidents.
Brochure | Executive breach response playbook
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 10/12
10
Brochure | Executive breach response playbook
After an incident
Update the incident report and review exactly what happened and at what times.
Review how well the staff and management performed in dealing with incident.
Determine whether or not the documented procedures were followed.
Discuss any changes in process or technology that are needed to mitigate future incidents.
Determine what information was needed sooner.
Discuss whether any steps or actions taken might have inhibited the recovery.
Determine which additional tools or resources are needed to detect, triage, analyze, and mitigate future incidents.
Discuss what reporting requirements are needed (such as regulatory and customer).
If possible, quantify the financial loss caused by the breach.
Report findings to executive management.
Before an incident
Identify the individual owner and responsible party for all incidents.
Identify core team responsible for all incidents (including individuals from legal, corporate communications, and HR).
Ensure proper monitoring and tracking technologies are in place (such as firewalls, IPS, and anti-virus).
Provide media training to the proper individual(s).
Provide a company-wide process for employees, contractors, and third parties to report suspicious or suspected
breach activities.
Provide company-wide training on breach awareness, employee responsibility, and reporting processes.
During an incident
Record the issues and open an incident report.
Convene the core team.
Set up a technical bridge to discuss needs required to restore operations.
Set up a management bridge or communication schedule to provide updates to executive management.
Triage the current issues and communicate to executive management.
Identify initial cause and activate needed specialists to respond to the current issues to restore operations.
Retain any evidence and follow a strict chain of evidence to support any needed or anticipated legal action.
Communicate to affected third parties, regulators, and media (if appropriate)
Before, during, and after checklistThe time an incident occurs is not the time to plan and organize. It is a time for action. Here are some simple
steps for you to consider and processes that need to be in place before, during, and after a breach event:
Figure 3. Incident checklist
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 11/12
1
Why you need to act today
Security-related and non-security-related threats have become not only more numerous and
diverse but also more damaging and disruptive. New types of incidents emerge frequently.
Preventative activities based on the results of risk assessments can reduce the number of
incidents, but not all incidents can be prevented. That’s why a breach management response
capability is vital for rapidly detecting incidents, minimizing loss and destruction, reducing
business outage and customer impact, mitigating weaknesses that can be exploited, and
restoring information systems services.
The purpose of this framework is to establish processes and procedures to prevent, detect,
investigate, respond to, recover from, and remediate all incidents that threaten or target an
organization, its aliates, or subsidiaries. But it is important to recognize that this program
is only the foundation to a good security strategy. Other components must be built upon this
foundation, including:
• Monitoring an ecosystem with proactive tools, such as IDS/IPS, rewalls, anti-virus, and
Security Information Event Management (SEIM)
• Eective alerts based on controls in place from the monitoring tools but that also recognize
external data points and correlate big data elements
• Routine testing of the technologies deployed as well as the processes that support sound
breach management
• Feedback mechanisms from testing or an actual breach event to examine needed updates to
technologies and processes as well as strategic planning to avoid future disruptive incidents
Our call to action is simple: Take the necessary steps to implement the program outlined in
this simple guide. We are here to assist your organization with the most complete security
portfolio in the market. We can work with you to improve your security processes and
operations at every step.
Learn more athp.com/enterprise/security
See the Ponemon Institute report, The Importance of Senior Executive Involvement in
Breach Response
Brochure | Executive breach response playbook
7/23/2019 HP - Executive Breach Incident Response Playbook.pdf
http://slidepdf.com/reader/full/hp-executive-breach-incident-response-playbookpdf 12/12
Rate this documentShare with colleagues
Sign up for updateshp.com/go/getupdated
Brochure | Executive breach response playbook
© Copyright 2014-2015 Hewlett-Packard De velopment Company, L.P. The information contained here in is subject to change without notice. The only
warranties for HP products and servi ces are set forth in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial er rors or omissions contained herein.
4AA5-5562ENW, January 2015, Rev. 1