Using Root Cause Analysis After a Cybersecurity Incident

using root cause analysisThere were 1,579 breaches reported in the U.S. in 2017, according to the Identity Theft Resource Center (ITRC). This represented a 44.7 percent increase over incidents reported for 2016. Your enterprise might be next, so it’s important to learn about incident response, including a Root Cause Analysis.

The best defense for your business is prevention, but when an incident does occur, it’s important to use the opportunity to learn as much about it as possible. Applying the lessons learned through a Root Cause Analysis to harden your security posture will make it more difficult for attackers to victimize your business again.

Cyberattacks happen. Data breaches occur. It’s often what you do following a breach that sets your future course.

Getting to the Bottom of the Problem

Trying to make good cybersecurity decisions without sufficient information is a recipe for failure. A vital tool for proper incident response is Root Cause Analysis. According to the National Institute of Standards and Technology, enterprises must not only understand individual vulnerabilities but what ultimately causes them:

Vulnerability identification can be accomplished at a per-individual weakness/deficiency level or at a root-cause level. When selecting between approaches, organizations consider whether the overall objective is identifying each specific instance or symptom of a problem or understanding the underlying root causes of problems. Understanding specific exploitable weaknesses or deficiencies is helpful when problems are first identified or when quick fixes are required. This specific understanding also provides organizations with necessary sources of information for eventually diagnosing potential root causes of problems, especially those problems that are systemic in nature.

When an event occurs, the organization should create a cause map to connect individual cause and effect relationships to reveal the root cause of the incident.

At a high level, the cause map helps to create a visual representation of the event by determining the following:

  1. What happened
  2. Why it happened
  3. What to do to reduce the likelihood of it happening again

Of course, each of these steps requires careful and objective analysis performed by those with both subject matter expertise and background knowledge of the circumstances leading up to the incident.

Objectivity and Expertise is Key

The NIST defines Root Cause Analysis as: “a principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.”

Because your own employees might not have the right skills or be too invested in the situation to objectively classify risks, it’s important to hire a neutral third party to investigate the causes behind a data breach or a cybersecurity incident.

Skilled incident responders can find the root cause of breaches and develop a remediation roadmap and implement future prevention efforts. Not taking the necessary steps to fully remediate lapses in information security will increase the chance that attackers can successfully target your enterprise again.

Root Cause Analysis Services

Sword & Shield Enterprise Security Inc. specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions.

If you need help discovering the root causes of cybersecurity incidents and want to develop the most effective response plan, please contact us at 865-244-3500, via email at secureme@swordshield.com or by filling out a consultation request.


Comments are closed.