One of the most common misconceptions of a data breach is that it takes the heaviest toll on the reputations of federal IT leaders, as they are responsible for protecting their agency against a breach. However, headlines from recent data breaches, across both the federal and private sectors, reveal that in addition to the damage a cyber data breach can inflict on an organization’s reputation, there is also a high propensity for serious financial costs to be incurred.
As cybersecurity concerns continue to rise to the top of the agenda of federal agencies, it is important to consider why a particular department may be targeted and how prepared agency leaders are to withstand a sophisticated attack from a cybercriminal or nation-state group.
Breakout Time: A Critical Cyber Metric
If a federal entity is in fact breached, speed is one of the most critical factors in the remediation process. CrowdStrike recently unveiled a new cyber metric in its 2018 Global Threat Report, called “breakout time.” CrowdStrike found that, on average, organizations only have one hour and 58 minutes to detect and eradicate an intruder before they move from their initial entry point to compromise additional IT systems and wreak havoc on the enterprise.
There are three key metrics that can help your agency estimate its readiness to defend against a breach:
- Time to detect an intrusion
- Time to investigate an incident - understanding the criticality and scope, and what response actions are necessary
- Time to respond to the intrusion - eradicate the adversary, and implement containment measures to avoid any damage
Best Practices: A Numbers Game
The most cyber-prepared federal institutions should aim to detect an intrusion in under a minute, perform a full investigation in under 10 minutes, and eradicate the adversary from the environment in under an hour in order to effectively combat sophisticated cyber threats.
Agencies that follow this 1-10-60 rule are much more likely to eradicate the adversary before the attack leaves its initial entry point, minimizing impact and further escalation. Visibility across the network is also critical to detect stealthy attackers who may behave like insiders. The use of innovative technology such as machine learning, endpoint detection and response, and next-generation antivirus, will expedite the ability to pinpoint known and unknown threats that may be lurking on the network while increasing visibility across all of the endpoints in the enterprise.
Thinking like the Adversary
To better understand cyber risks, leaders must think more broadly around digital assets and targets. This requires a change in thought process to try and get into the mind of the adversary. Nation-state and eCrime adversaries often go after high-value assets and targets that include the systems, persons, applications, and data sets that contain the organization’s most valuable data and/or can grant them access to other critical systems via lateral movement.
Government employees should teach their personnel to think about the big picture when assessing and prioritizing the top assets they need to protect. Cyber threat actors often focus their efforts on an organization’s more senior ranking leaders because of the influence they wield and the information they have access to. As such, those in the federal space need to make sure they have taken the appropriate steps to secure all endpoints within their agency and strive to implement the 1-10-60 rule.
Given today’s sophisticated threat landscape, it is imperative that federal entities and other public sector agencies are aware of the critical data that their particular department presides over and has access to. It is also critical to understand the importance of cyber hygiene and best practices. The 1-10-60 rule and breakout time is a clear benchmark that measures your organization’s cyber readiness to withstand today’s sophisticated threats.
James Yeager is the vice president public sector and healthcare for CrowdStrike.