Data Loss Prevention and Containment During Data or Network Security Incidents

Types of Data and Network Security Controls

Detection of computer security incidents requires the implementation of various types of controls – physical, logical, and administrative. Each of these control areas provides layered support to the others. In other articles, I described many of these controls in detail, including,

Physical

  • Motion detectors
  • Smoke and fire detectors
  • Security cameras
  • Sensors and alarms

Logical

  • Intrusion detection systems
  • Intrusion prevention systems
  • Logging

Administrative

  • Rotation of duties
  • Security reviews and audits
  • Mandatory vacations. Mandatory vacations serve the same purpose as rotation of duties. Someone else must look at work the vacationing employee has been doing.
  • Performance evaluations
  • Background investigations

Analyzing Data and Network Security Issues

Once one of your controls provides evidence of a security incident, it’s important that you assess what the evidence means. Disconnecting your data center from the network because you get a couple of log entries indicating a malware attack may be OK if you’re actually under attack. But what if it was just an explainable and acceptable network anomaly? Explaining loss of data or serice delivery may be difficult if you haven’t practiced due diligence before making this kind of decision. Due diligence includes the following steps:

  1. Perform an initial assessment to determine the type of incident
  2. Develop an action plan to contain and eradicate the threat
  3. Document all activities associated with the incident

Notifying Network and Data Recovery Teams

Once you confirm that data loss or network outage is occurring, or has occurred, immediately notify the appropriate IRT. The team’s initial response should include a high level assessment of the following:

  1. Initial evidence, including logs and alerts
  2. The general state of the system allegedly affected
  3. The general state of the network overall

This is a high level assessment. Digging too deeply at this stage might result in unnecessary delays leading to increased business impact. Using personnel who are familiar with the system, facility, data, or network being assessed is critical. Individuals who are familiar with day-to-day characteristics of a potential target should be capable of quickly completing the initial assessment.

Documenting Data Security Response Activities

Along with the initiation of the initial assessment, the response team manager should begin documenting all response activities. This documentation will track details about network or data security activities that you can use in post-incident assessments. It also provides a historical record of findings and actions taken, which is often valuable when the exact nature of the attack or outage is hard to identify. The following should be included in your documentation:

  1. Current status of the incident – This is normally kept in a running log. The log is a valuable tool for tracking the activities of the IRT, the way in which the attack or outage evolves, and for reporting status to senior management.
  2. Summary of the incident
  3. Actions taken by all members of the IRTs
  4. Contact information for all involved parties
  5. List of evidence gathered
  6. General observations
  7. Pending activities – These should be prioritized based on the criticality of the resources affected; in other words, assess the business impact of not performing each activity on your list. For example, if you need to run payroll the day of the outage, activities surrounding recovery of the payroll system will take precedence over just about anything else.

Again, perform just enough analysis work to get a general understanding of what data issues you’re facing. There’s a balance between too much data analysis and not understanding the incident well enough to effectively contain it.

In Part 3, we continue the series with a look at data loss prevention and incident containment.

This post is part of the series: Security Incident Management

in this series, I provide an overview and recommendations related to responding to a security incident. Effective incident management is critical when attempting to mitigate damage from a breach, system failure, data leakage, etc.
  1. The Data Security Incident Management Process: Policies, Teams, and Communication
  2. Preventing and Containing Data Loss by Detecting and Analyzing Data Security Issues
  3. Reducing the Damage Caused by Network Security Threats and Identifying Attackers
  4. Recovering Corporate Data After a Data Security Attack
  5. Challenges of Managing Data Security: Causes and Effects of Data System Failures