Security Stuff Happens: Where Do You Go From Here?

Despite what it may feel like when you're in the trenches after a security incident, the world doesn't stop moving. (Part 3 of a series.)

Tyler Farrar, CISO, Exabeam

May 9, 2022

3 Min Read
Person indicating something is secure
Source: Anna Berkut via Alamy Stock Photo

Click here to read Part 1, "What Do You Do When It Hits the Fan?" and Part 2, "What Will the Public Hear When You Say You've Been Breached?"

Even when cybersecurity investigations after an incident are ongoing and you won't have all the answers upfront, it's still important to communicate what you can as early as possible and as often as possible. Communication is integral to successful incident response and the endurance of a brand's reputation. The main reason it's important to divulge as much as possible as soon as possible is that brands can die after a security incident if a third party (such as the press or customers) was the first to break the news of the incident.

Even if you don't have all of the answers, it's better that any new information comes from your organization and not the press or third-party groups. Again, show empathy and ownership every step of the way. Keep anyone who is potentially affected — customers, vendors, third parties — updated on an ongoing basis about technical findings, results, and impact. Offer these people helpful and relevant resources and support.

What Happens After a Security Incident?
Information sharing can heal even the deepest wounds; companies that are advised (by lawyers or others) to keep as much as they can under lock and key are, frankly, short-sighted. Sharing threat data and information needs to happen in a clear and concise way. With whom and how this information is shared should be discussed and agreed upon with lawyers before any major incident occurs. Don't be afraid to share technical details and the steps your security team is taking to investigate and avoid these vulnerabilities in the future. You might consider sharing technical details such as events to look out for, CVEs, or indicators of compromise. These details are extremely valuable because they can help customers get ahead of the incident and take their own remediation steps.

Final Thoughts
Despite what it may feel like when you're in the trenches after a security incident, the world doesn't stop moving. If you've publicly announced a breach, other cyber adversaries don't magically disappear. There are still threats looming, possibly waiting to attack your infrastructure while it's at its weakest. After a security incident, it can be easy to forget about our defenses against everything else, but set up a system to make sure this doesn't happen. Ensure you're monitoring for additional nefarious activities. Make sure your team members get regular rest breaks (tired people make mistakes!). Nutrition and hydration matter just as much as sleep.

Second, it's important to note cyber adversaries typically don't break in, they log in. This is certainly the case for Lapsus$ and other similar threat groups. They can compromise credentials through a variety of methods and log in to most networks and applications. Security teams should shift their focus from purely preventing credential compromise to tracking user behavior so that anomalies can be quickly identified and acted upon. Thanks to modern tools that utilize machine learning or behavior analytics layers, there is little to no burden on the analyst.

Lastly, big breaches can take years to clean up and settle in court. The true cost of security and privacy failures is underreported — I'd venture to say it's probably double or triple what you read in the news — both in terms of cost and time to remediate. Although stock prices usually don't change after a breach, it is most certainly more difficult to sell a product or service for a year or so. Develop the right relationships — with sales, marketing, legal, comms, executives, and stakeholders — long before a cyberattack takes place.

About the Author

Tyler Farrar

CISO, Exabeam

Tyler Farrar is the Chief Information Security Officer (CISO) at Exabeam. In this role, he is responsible for protecting Exabeam — its employees, customers, and data assets — against present and future digital threats. Farrar also leads efforts in supporting current and prospective customers’ move to the Exabeam cloud-native New-Scale SIEM and security operations platform by helping them to address cloud security compliance barriers. With over 15 years of broad and diversified technical experience, Farrar is recognized as a business-focused and results-oriented leader with a proven track record of advancing organizational security programs.

Prior to Exabeam, Farrar was responsible for the strategy and execution of the information security program at Maxar Technologies, which included security operations, infrastructure governance, cyber assurance, and USG program protection functions. As a former naval officer, he managed multiple projects and cyber operations for a multimillion-dollar US Department of Defense program.

Farrar earned an MBA from the University of Maryland and a Bachelor of Science in Aerospace Engineering from the United States Naval Academy. He also holds a variety of technical and professional certifications, including the Certified Information Systems Security Professional (CISSP) certification.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights