If you work for big organisation, there’s better-than-average chance that your network security defences have been breached somewhere. Or they will be. For organisations with valuable data, this is the new reality. The bad guys are getting better at what they do and enterprise has historically had hard time catching up. For large listed corporation, security breach is arguably one of your public relations department’s worst, although inevitable, nightmares.
PR 101 says that in the event of disaster you should fess up as fast as possible, beg forgiveness, hope that it’s not quiet news day and front up with plan to make it right.
As textbook strategy, that’s all well and good, but it does presuppose that organisations actually know what happened. Here’s the kicker: More often than not, they don’t. So it stands to reason that the effort an organisation puts into preventing breach should be equalled by the effort it puts into knowing what happened after breach has occurred.
If you’re lucky, you’ll find the broken window pane, brick on the floor and have good idea of where the compromised data resides. But depending on your monitoring hardware, you may have little or no idea what stock was stolen because your shelves are virtual. Sure, your log files are useful to point, but they will never give you the whole story.
To manage the damage, you have to be 100 percent certain of what was stolen, and you have to find out quickly. The public wants answers immediately and they are not particularly patient bunch. The vacuum of public knowledge will be filled with answers to very specific questions from the media: How many of your records were stolen? How sensitive were they? How long has it been going on? If you wait to provide the answers to those questions, the tweeting public will pontificate at will, essentially taking away your role in shaping the organisation’s message.
Seeing where the breach occurred and what areas were affected will put your organisation in position to offer the truth, as opposed to planting the seeds for rumors.
So for all the arguments made for state-of-the-art network security – and these arguments are completely valid – what may be the barrier between an embarrassing situation and reputation-crushing mishandling is network visibility.
Yes, you were breached. It happens. In 2011 well-known entities such as Zappos, Epsilon and RSA were each victims of attacks. In Q1 of 2012, Nortel, NASDAQ and the Vatican have fallen victim to breaches. There is lot less shame in being breached these days, but not knowing what has been breached is the precursor to the kind of media coverage that can sabotage all of your best efforts. Knowing exactly what is going on inside your network in real time is more important than ever.
Network recording solutions have historically had bad rap: “Unreliable” and “expensive” are criticisms that have been leveled, but the case for pervasive, full packet capture is changing as fast as the technology that enables it. The technology reshaping that opinion could very well be your PR department’s best friend. As networks expand to 10G, it is becoming more and more difficult to just “pop open the hood” and pinpoint exactly where network anomalies lie.
Organisations on the front foot are responding by investing in wide range of IT tools to stop network intruders from getting inside in the first place, but they have also come to the conclusion that those investments will fall victim to an unwelcomed visitor at some point. Furthermore, they are considering the kinds of solutions that not only address speeds of today, but the speeds that will no doubt be integrated into the landscape of tomorrow’s networks.
So, if you subscribe to the view that you’re already breached – and the smart money says that you should – what’s your answer going to be when you’re asked, “What did you lose?” If your answer is, “We don’t know,” then maybe it’s time that you reconsider how you are monitoring and recording your network data. And then hope the story gets buried. M
Tim Nichols is VP of marketing at Endace.
