Did you know that over 65% of Global 2000 organizations take one or more days to respond to a trust-based attack that has infiltrated the enterprise network? When it comes to remediation of any attack on the enterprise, the longer it takes to remediate the breach, the more time cybercriminals will have to implement backdoors and to steal more data, which means the damage will be even worse!
In the unfortunate case of a data breach, there are 3 steps have should be taken immediately until full remediation has been achieved:
Reducing the time required to identify all systems impacted by a breach is paramount
Rapid remediation of a breach requires swift action
Remediation includes validation that the adversary does not still have access to the network
Even when detected, it is often very difficult to remove an adversary’s access from the network. They prey on the knowledge that most Global 2000 organizations do not have a clear grasp of security related to keys and certificates. Heartbleed is a good example of this.
Months after the vulnerability was discovered, the majority of Global 2000 organizations still had only partially remediated Heartbleed. Why? Because they did not fully comprehend the consequences of failing to replace all keys and certificates, as recommended by industry experts. The results were catastrophic. Organizations need the ability completely respond to all breaches that impact keys and certificates immediately, as it’s the only way to keep their business secure.
Swift action is required when remediating any attack. Trust-based attacks are among the worst kind out there because the adversary has trusted status on the network and can implement backdoors for consistent access. Next Generation Trust Protection helps organizations address trust-based attacks more swiftly than other techniques, thereby reducing the overall impact to the organization.
When remediating a breach, it is vital to understand which systems have been impacted. For example, if the breach is confirmed to be exploiting SSH, any system that is accessible via SSH and all SSH keys need to be accounted for in the network. By establishing a comprehensible understanding of SSH usage in the enterprise, the process of identifying the impact is dramatically enhanced. This is true for all types of key and certificate compromises, including those used for SSL, SSH, mobile, and authentication. This is only possible with complete visibility and a full inventory of all machine identities on your network, something that a machine identity control plane can help you achieve.
Once a breach is confirmed, the clock starts ticking. Adversaries work under the assumption that they will be discovered quickly, and continuously take countermeasures to avoid denial of access to the environment. With a trust-based attack, this would involve insertion of rogue keys and certificates that would allow future access. As with user password rotation, so too should keys and certificates be replaced, and rogue ones deleted in an expedited manner—and this must be done faster than an adversary can add new ones.
Once remediation of a breach has been completed and credentials like keys and certificates have been replaced, it is critical to validate that the remediation process was completed successfully. One compromised credential may result in a continued breach as the adversary still has access. By cross referencing the breach report with the remediation report, organizations can be confident that their remediation process was successful.
While these are the best steps you can take to restore security to your organization after a data breach, why wait for a catastrophic event to take the protection of your machine identities seriously! The Venafi Control Plane for Machine Identities reduces complexity of managing all machine identities across your entire enterprise. Complete network visibility is just one of the many benefits of this platform. Want to see for yourself? Click below for a 30 day free trial, and kickstart your digital transformation today!