Europe's GDPR rules state that organizations must report data breaches within 72 hours if users are impacted. GDPR was a watershed, and we're now seeing stronger regulations proposed in Australia, California, and other jurisdictions.
The upshot for Incident Response (IR) teams is that they need to investigate incidents faster and with greater accuracy. Once a data breach is detected, the clock is ticking. IR teams are under pressure to get answers.
First, they need to know if the incident is something they must report, or if they can handle it internally. If it is something they must report, they have a short time to get answers as to the extent of the breach. It can be damaging to have to announce subsequent numbers of leaked records.
This has led to companies announcing breaches with the maximum possible number of affected users even before investigations are complete. As the tweet below from Facebook's former CISO shows, some companies are playing it safe by announcing the maximum possible number of users affected, then revising the number downwards when the investigation is complete.
Here are some of the questions that IR teams need to answer fast when there's a potential data breach:
- Is this a PCI or HIPAA violation?
- What data was taken? Who is affected?
- Are the attackers still present in the environment?
- What did the attack campaign look like?
All of these questions can be answered with network traffic analysis, which not only provides the answers (yes or no) but also the context so that analysts can understand the "why and how" of the answer.
ExtraHop's CIO John Matthews recently discussed how to accelerate incident response with David Monahan, Managing Research Director for Security and Risk Management at EMA. David presents EMA's surveys on incident response, which shows that:
- Only 23% of organizations investigate all critical security incidents after initial detection
- Security teams cannot address 64% of daily alerts
- Packet capture is the most useful capability when accelerating IR
John and David both have experience managing operations teams and provide helpful insight to address the challenge of the 72-hour reporting requirement.