Using Root Cause Analysis After a Cybersecurity Incident
There were 1,579 breaches reported in the U.S. in 2017, according to the Identity Theft Resource Center (ITRC). This represented a 44.7 percent increase over incidents reported for 2016. Your enterprise might be next. It’s important to learn about incident response, including a root cause analysis.
The best defense for your business is prevention. However, when an incident does occur, it’s important to use the opportunity to learn as much about it as possible.
Applying the lessons learned through a root cause analysis to harden your security posture will make it more difficult for attackers to victimize your business again.
Using Root Cause Analysis to Get to the Bottom of the Problem
Trying to make good cybersecurity decisions without sufficient information is a recipe for failure. A vital tool for proper incident response is Root Cause Analysis. According to the National Institute of Standards and Technology, enterprises must not only understand individual vulnerabilities but what ultimately causes them:
Vulnerability identification can be accomplished at a per-individual weakness/deficiency level or at a root-cause level. When selecting between approaches, organizations consider whether the overall objective is identifying each specific instance or symptom of a problem or understanding the underlying root causes of problems. Understanding specific exploitable weaknesses or deficiencies is helpful when problems are first identified or when quick fixes are required. This specific understanding also provides organizations with necessary sources of information for eventually diagnosing potential root causes of problems, especially those problems that are systemic in nature.
Data Breach Analysis Step 1: Creating a Cause Map
When an event occurs, the organization should start its data breach analysis by creating a cause map. This connects individual cause and effect relationships to reveal the root cause of the incident.
At a high level, the cause map helps to create a visual representation of the event by determining the following:
- What happened
- Why it happened
- What to do to reduce the likelihood of it happening again
Of course, each of these steps requires careful and objective analysis. This must be performed by those with both subject matter expertise and background knowledge of the circumstances leading up to the incident.
Objectivity and Expertise is Key
The NIST defines Root Cause Analysis as: “a principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.”
Because your own employees might not have the right skills or be too invested in the situation to objectively classify risks, it’s important to hire a neutral third party to investigate the causes behind a data breach or a cybersecurity incident.
Skilled incident responders can find the root cause of breaches, develop a remediation roadmap, and implement future prevention efforts. Not taking the necessary steps to fully remediate lapses in information security will increase the chance that attackers can successfully target your enterprise again.
Cyberattacks happen. Data breaches occur. It’s often what you do following a breach that sets your future course.
Root Cause Analysis Services
Sword & Shield Enterprise Security specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions.
If you need help discovering the root cause of a cybersecurity incident and want to develop the most effective response plan, please contact us by filling out a consultation request.