In Cybersecurity, "Whodunit?" is Much Less Important Than "What Do We Do Now?"

A strange shift has occurred in the world of cybersecurity media coverage. It used to be that journalists covering data breaches focused on what types of data were taken and what kind of damage the event would cause the company. These days, when a major data breach occurs, who committed the breach often takes the spotlight away from the more important fact of how it was achieved.

There are more important questions than “whodunit” when it comes to network breaches and data theft.

Asking the Right Questions

When your system is hacked, there are five questions that are more important to ask than who was responsible:

• “What was the means of entry?” Network visibility is essential. If security managers have a real-time view of every connected device, every authorized user and how secure each device is, they have a better chance of pinpointing where are the weakest links in their armor.

• “What can be done to fix it?” Repairing the damage is more important than placing blame, and speedy remediation is dependent on good visibility. The faster you can see and determine the size of the rip in your safety net, the faster it can be repaired. Companies have a clear fiscal incentive to minimize downtime, so this element is critical to running a business seamlessly. 

• “How much was stolen?” It can take an agonizingly long time to determine the scope of a data loss. This is especially damaging when a data breach affects consumers. Quantifying the breach with speed and confidence causes an affected company less harm in the long run.

• “Are we still compromised?” After a breach has been detected, a lot of energy is put into stopping and assessing the extent of the impact.  However, without proper visibility, most companies are left wondering if they are still being breached – that is, whether the attackers left undiscovered backdoors that will allow them back into the company’s systems later, when the incident response goes down.

• “What can we learn from this?” To ensure that the same infiltration tactic never works twice, cyberdefenses must evolve: intelligently, automatically and rapidly. Pragmatic, real-world defense depends not on making a network impenetrable, but on making it so challenging to crack that most attackers will eventually move on to easier targets.

Asking these five questions is more complex and time-consuming than merely asking “whodunit?” but they zero in on the key information needed to mitigate and prevent cyberattacks.

Keep Your Focus, Defend Your Network

It’s human nature to want to solve the crime and capture the attacker. But in cyberspace, being able to pinpoint the identity, location and sponsor of the attack is often a waste of energy. Instead, focus on creating dynamic defenses that make hackers’ lives so difficult that they turn away in favor of an easier mark. Yes, there’s something satisfying about being able to say “whodunit,” but when it comes to defending your network, attribution is merely a diversion.

With more than 15 years of business experience in the high-tech industry across Europe and North America, Pedro Abreu brings a deep understanding of all go-to-market aspects to his role of CSO at ForeScout, along with knowledge of building highly effective teams and developing strong relationships with clients and stakeholders.