Before a breach, it’s critical to already have an emergency response plan, including a team of key players and the tools they need to get you back online fast.
A key part of preparing for a security event is ensuring you have the people and the technology you need to help you recover as quickly as possible. Creating an emergency response team (ERT) is a critical step I recommend organizations take before an event. When you have clear marching orders, a fully prioritized recovery plan, a plan to engage external support resources, and a line of sight for recovery equipment, you’re less likely to be scrambling.
Part 1: Your Emergency Data Breach Response Team
Who should be on your ERT? Depending on your company and its unique needs, your emergency response team should include a few key players:
1. Forensic Experts
After a cybersecurity event, forensic experts gather evidence from data on computers and other digital storage devices for use in the investigation. Their skills should include vulnerability diagnostics, digital forensics, the ability to analyze memory dumps and malware, and the ability to use analysis tools to perform a correlation analysis of security events.
They’ll follow detailed procedures to maintain the integrity of their findings and ensure they can be used as evidence, including:
- Reconstructing the events that led to a security breach or compromise using security log data
- Retrieving lost data from physical and virtual devices
- Collecting and analyzing evidence of malicious network activity
- Maintaining the integrity and ensuring a provable chain of custody of digital evidence
- Liaising and collaborating with law enforcement
- Giving testimony at legal proceedings
2. Legal Counsel
The expertise of a legal counsel on your emergency response team is invaluable during a security event. Legal can help you determine how to proceed with minimal liability. They advise on how to disclose security incidents; coordinate communication with law enforcement, investigative agencies, and stakeholders; prepare people to be interviewed; and handle any shareholder and employee lawsuits that might result from the security event.
Legal experts help you understand the legal obligations, potential conflicts, and liabilities of your business, and can provide input when drafting policies and procedures. This role could be an in-house team, outsourced, or hybrid. If outsourced or hybrid, a designated employee should act as a liaison.
3. Information Security (InfoSec)
Your InfoSec team will coordinate the investigation, assessment, tracking, resolution, and reporting of critical security incidents; determine whether a security incident needs to be reported; and enact the security breach protocol.
In general, InfoSec is a subset of cybersecurity specifically related to processes designed for data security. This role seeks to prevent the unauthorized disclosure, disruption, inspection, recording, or destruction of information. Information can be physical or digital and includes personally identifiable information (PII) and biometric data.
4. Information Technology (IT)
IT is critical both before and after a security event and will be actively involved in all phases of the emergency response plan, including:
- Preparation: Mapping out IT assets, data, devices, and users within the IT ecosystem. This provides a clear understanding of your IT infrastructure, which is helpful both during a security event or before one to highlight security vulnerabilities for proactive action.
- Identification: Identifies and responds to incidents reported through your organization’s Help Desk or detected using security and threat mitigation tools. IT will gather information using logs and error messages, intrusion detection systems, and monitoring tools to determine the nature of the incident and its scope.
- Containment: Implements short- or long-term containment to minimize the damage already done and prevent further damage.
- Eradication: Removes the threat and restores affected systems to their previous state (or a safe working state).
- Recovery: Tests, monitors, and validates systems during the recovery process to ensure that they’re not reinfected or otherwise compromised.
- Post-mortem: Documents incident details and remediation methods used for later analysis to improve future incident response efforts.
In particular, the IT expertise on your team should include OS administration; systems software, client, web, and application server recovery; database protection; and testing business continuity and disaster recovery capabilities.
5. Investor Relations
If your company has important relationships with partners and investors, you’ll need an incident response role to communicate to them how the event impacts both the financial status of the organization and their relationships with the company.
An investor relations (IR) department conveys important information about company affairs so investors can make informed decisions. As part of the emergency response team, this role helps ensure that you’re accurately disclosing security events and addressing concerns. This also helps to minimize the impact of the incident on investor relationships.
6. Media Relations and Corporate Communications
Communication is key when a security event occurs. You’ll want to have a predetermined point of contact with the media to coordinate communication—including internal comms relating to incident response efforts—and to manage communication with media outlets, affiliate business entities, and external stakeholders. Responsibilities of the communications role can include writing and sending internal and external communications about the incident, as well as contacting critical partners, authorities, external tech vendors, and affected customers with updates about remedial action being taken.
With a dedicated person speaking to the media, you’ll be better able to communicate a consistent, accurate account during and after the security event.
8. Incident Manager
The incident manager coordinates all the actions of the ERT, ensuring each team member carries out their action items to minimize damages and improve recovery times. Primary responsibilities of this role include coordinating the incident response, summarizing findings and the effects of the incident, escalating issues to higher management, and assigning ad hoc roles when required.
Other Contacts to Know
- Cyber insurance providers, who can explain the extent of your cybersecurity insurance, as well as your specific coverages and limitations as well as required steps that must be taken for coverages to apply.
- Local law enforcement authorities and the FBI, to whom possible compliance breaches and potential penalties should be reported, and where you might get additional support.
- Critical partners and authorities, including legal and tech partners who can help with recovery.
Part 2: Technologies to Help You Recover From a Data Breach Fast
Beyond your people, there are several tech resources that will support the operations of your ERT.
Super Immutable+ Snapshots: “Airbags” for Data Storage
After the initial intrusion and reconnaissance, ransomware will attempt to execute, encrypt, and exfiltrate data. If a ransomware attack encrypts backup data or backup metadata, your chances of data recovery are slim, leaving you vulnerable to ransom demands. Immutable snapshots protect data from unauthorized modification and deletion, based on your existing data retention policy.
Pure Storage® SafeModeTM snapshots are critical to mitigating and recovering from a ransomware attack. SafeMode snapshots are what I call “super immutable+.” Like traditional, immutable snapshots, once they’re stored, data contained within cannot be changed, edited, or overwritten. However, there’s a major advantage to Pure’s SafeMode snapshots: They also cannot be deleted—even by a user or process with administrative privileges on the Pure Storage array.
SafeMode snapshots are the only snapshots in the industry with this advantage. This gives your Pure arrays built-in “airbags.” Essentially, while a Pure array can’t prevent an attack, it gives you the ability to survive one and quickly recover. With SafeMode snapshots, you can roll back copies of data made before the ransomware attack with confidence that the data is uncorrupted. This means you don’t need to worry about ransom demands—simply overwrite the effects of the ransomware and continue business as normal.
Tiered Backups with Data “Bunkers”
Tiered backup architectures are all about resiliency, ensuring data is in the best location for recovery at all times, bringing you closer to achieving zero recovery time objectives (RTO) and recovery point objectives (RPO). Tiering snapshots isolates them, further ensuring their availability in the event of a disaster.
Tiers will depend on how your organization classifies its data—check out this post on tiered backups for an example. The goal is to assign different categories of applications/data to various types of storage media to reduce overall storage costs, enhance performance, and improve the availability of mission-critical applications.
Staged Recovery Environment
After a security breach or attack, your existing business environment will probably be shut down and compromised resources could be confiscated, quarantined, or used by investigators. A staged recovery environment gives you a secure, clean IT environment that allows you to get critical systems back online. It should be set up and tested in advance to get your critical systems back online quickly and easily. This allows you to resume services to your customers while giving your team time to complete forensic reviews and reintegrate less critical systems.
Level Up Your Recovery Capabilities with Pure Storage
Everyone on your emergency response team should be clear on their roles and responsibilities before, during, and after a security incident. With a comprehensive plan, employees and IT personnel are less likely to implement on-the-fly solutions and risk making the situation worse.
Being prepared for a security event also means having the right technology to help you mobilize quickly and recover as soon as possible. Pure’s entire portfolio brings security and resiliency to your data estate, offering:
- Read-only snapshots of backup data and infinitely configurable policies.
- Improved resiliency and protection against malware attacks and accidental or intentional deletions with immutable snapshots.
- Protection for container-based applications with Portworx® PX-Backup to get modern, cloud-based applications back up and running alongside on-premises apps.
For more, find out how Pure solutions can help you prepare for a security event.