We've heard it many times in many forms -- expect to be breached, expect that you've been breached, expect that you are being breached. The unfortunate reality is that most organizations don't even know that they've been compromised and therefore don't do anything to block spreading of the malware, control the damage, prevent loss of information, or even recover from the technical problems associated with the compromise.
Assuming the adversary makes it in, the question remains: How long after a breach occurs can the organization remediate and prevent further damage? This is where security response becomes critical.
This article covers many sub-topics, including:
- Identifying the compromise
- Getting back online
- Stopping the bleeding
- Detecting the adversary
- Leveraging human knowledge
- Data integrity