IBM: Fewer records are being breached, but cyber attacks are getting more costly

ZDNet editor Jason Hiner spoke with Wendi Whitmore, Global Lead for IBM's Incident Response Team, at this year's RSA Conference. Whitmore is also a former special agent for the U.S. Air Force, where she worked on the cybercrime team.

Watch the video, or read the transcript below:

Jason Hiner: Talk a little bit about what you do at IBM.

Wendi Whitmore: Certainly. I lead a team at IBM called X-Force IRIS, which is our Incident Response and Intelligence Services team. So we're the global response team for all of our external clients. So we do things like respond to security breaches, receive phone calls, jump on airplanes. We also do proactive work to help our clients better mature their incident response programs, remediation, as well as develop threat intelligence.

Jason Hiner: You've been doing incident response for a long time in a number of different roles. Why don't you talk a little bit about what you did before IBM.

Wendi Whitmore: Sure. So I have been doing this quite some time. I started in the Air Force as a computer crime investigator, and a special agent for an organization called Air Force OSI. That was a really exciting role. And from there I joined Mandiant, did computer crime investigations and incident response for them for quite some time, and then joined the Crowdstrike Services team and led that consulting practice globally prior to coming to IBM to lead the X-force team.

Jason Hiner: So X-Force also does a good deal of its own research and its own look at what's happening in the industry. Could you put in perspective where we're at in incident response today, compared to the last few years?

Wendi Whitmore: Sure, we just recently released this year's threat index, which is our annual report talking about the types of trends we're seeing. So one of the big statistics that came out was that in 2017, there were less records breached than previously--down by about 25% to 2.9 billion versus 4 billion the year before. So we might look at that and say, "Oh, that's great news. We're making progress," right? And in many ways, we're making a lot of progress.

But the reality is that many of the breaches we're seeing are having greater impact than we've seen in the past. And a lot of them are combined with ransomware type of techniques that don't necessarily get reported the same way that the other data breach disclosure and records get reported. Some examples would be the NotPetya attacks that occurred last year. You have an organization like Maersk, which publicly reported a loss of between 200 and 300 million dollars.

That's really unprecedented. So you see kind of the impact that these kind of attacks are having, especially when they're destructive malware, meaning data is wiped or removed from an environment, or maybe it's simply encrypted and the organization doesn't have access to it. They not only then have lost data, but they need to rebuild their environment, and that takes time and increases cost.

SEE: Incident response policy (Tech Pro Research)

Jason Hiner: So how about the sophistication of the bad actors--are we seeing their sophistication level ramp up faster than the companies that are trying to defend against them? And also, how about the nation state actors now being part of this?

Wendi Whitmore: So it's a great question, and I think that you can almost combine your two questions into one trend that we see that's very common, which I would call convergence. That's convergence of different actors or different groups of attackers using overlapping malware sets and overlapping infrastructure to conduct their activities. And now it's not so much a matter of just what nation states are doing, but organizations who may be renting malware, renting botnets and command and control infrastructure having a very similar level of impact to the destruction. And when we look at attacks, I always tell our clients, the win isn't that you don't get attacked and you're never breached. That's pretty unrealistic today. The reality is the win is if you can limit the impact within your environment. So limit [the impact on] a single system or a handful of systems from becoming 100 to 1000s in a matter of hours, in the case of a ransomware attack.

In an intellectual property attack, limiting that to systems that ideally aren't as critical. So preventing the attacker from getting to things like critical servers in the environment. And so going back to your question about who's doing this. Well, we're really seeing that organizations and our clients have to be effectively prepared to defend against such a wider array of attackers. Even organizations that are maybe just you and your friends getting together [to form a small business], and you guys have some great skills, you probably now have access to great infrastructure, to really good tools that are as good at times as what nation state actors are using, and you might actually run your attack group like a business, with ROI on the targets that you're going after.

Jason Hiner: So let's talk a little bit about GDPR. It's the elephant in the room in the security industry this year in many ways. And there are some issues that are going to affect security [teams] and their response directly. What are those?

Wendi Whitmore: There's kind of a wide variety. I guess the way I would start it, I think the intent of GDPR is excellent from a privacy perspective and really driving organizations to increase their preparedness and how they look at protecting their clients' data. A few things along with GDPR though. I think one of them that causes many of us responders concern is the 72 hour time clock to do a notification.

Many times in the wake of a breach, you don't know a tremendous amount of information at 72 hours, and the data you have are really initial data points, and you're starting to then pull through and build the story of what collectively actually happened. So the requirement to notify and have the expectation that organizations know exactly what happened at that time, I think that's a challenging one.

I think the intent is certainly that we're more transparent in our communications. So those types of things are certainly positive. But when we look at response in general, I think we always talk about "time being money." So the faster an organization can respond, the faster they can mitigate an attack, meaning identify how the attacker got in, remove their access, and ideally prevent them from doing that in the future. The faster we can do that, the less expensive an attack is.

So in general, organizations who respond and contain a breach within 30 days or less will save $1 million dollars over those that take longer than 30 days to do so.

Jason Hiner: You mentioned the X-Force research that you did. What were some of the other big takeaways from your research that are worth highlighting?

Wendi Whitmore: When we look at trends moving forward in this year and years beyond, I think we're really gonna see more of a focus on destructive malware attacks. So things like ransomware, for example, that are repurposed for other destructive means. And the reality is that significantly increases the cost. I mentioned that stat before--the 200 to 300 million dollar loss. And a lot of that's related to having to rebuild infrastructure and environments. So what we're doing with our clients is to really focus on getting kind of back to basics, and things like authentication controls and account segregation, and making sure that it's more difficult for an attacker--if they compromise one attack that they can't then compromise 300 to 10,000 in a matter of hours. Because that's really what starts causing [the cost of] these costs to skyrocket.

SEE: Guidelines for building security policies (Tech Pro Rsearch)

Jason Hiner: When a CIO wants to work with your group, wants to bring you on to consult with them, what kind of work do you do? Where do you start when you have a new client, for example, that says "I need some help. Some of this stuff is a big threat to us, and we know we're not doing a good enough job. Where do we start?"

Wendi Whitmore: So I think where we typically always start is getting an understanding of what type of foundation do they have set up today. And that usually starts with an incidence response plan. A recent stat we have is up to 77% of organizations don't have incident response plans. And I would say, kind of living this, I certainly feel that. There are organizations who are kind of scared to document things, put them on paper. But the reality is that's where we need to start--even if you're just beginning, that's alright. Get it on paper. Get some phone numbers on paper, and some processes down about what you're doing today.

And then from there, we have a wide variety of clients. Many are quite mature. They've had incident response plans for years. They've tested. They have matured them. And ultimately what we want to continue doing is identifying where do we stand today. And from today, what kind of gaps exist within the environment, and how do we compare that to the types of threats that are most likely to impact your organization. In order to do that most effectively, it requires pretty rigorous testing, so that's everything from things like red team testing to actual scenario-based testing. And one of the things that's unique at IBM is we built one of the first commercially available cyber ranges, where we can actually take a tabletop scenario where we might test different executives and technical responders and analysts, bring them all in one room. Previously that's been done through PowerPoint exercises and paper based drills.And now we're able to take them into this immersive environment where they've got media screens. They've got phones ringing. They've got news outlets calling, and they've got, actually, their technology. So they're workflow systems, their analytics engines are built into this environment. And we're able to really make it real. And from that, you can quickly identify gaps, and then we help them close them before an attacker identifies them.

Jason Hiner: For a company that doesn't have an incident response policy today, our research site Tech Pro Research offers a template. Does [your team] offer a place for them to start, even if they're starting from zero?

Wendi Whitmore: Absolutely. One of the foundations of our organization is Resilient, which is a technology that IBM acquired two years ago. And ultimately in there we're able to build playbooks, workflow, tracking systems for all of this, and it's really geared towards incident response diagrams and programs. And so that's usually where we start. If an organization doesn't have that technology, then we're going to start at helping them document, [we'll] have the templates available, and then really build that regularly scheduled interval testing with them.

Jason Hiner: From your perspective of seeing so much of the industry and seeing so many different companies, as you look forward, what are the things that scare you the most? And then what are the things that you're most optimistic about in terms of the progress that we're making in cybersecurity and incident response?

Wendi Whitmore: Well, I think I would tie those together. So from the perspective of where we are as an industry moving forward, organizations are getting better every day. Technologies are better. People are smarter. We're training the workforce at a younger age to come in with the right skillset. And we're seeing organizations dedicate more of their budget to things like proactive approaches to security--so not just believing that a breach is never going to occur, but instead preparing, building technologies, and building a staff that can respond to that.

On that same note, I think the biggest challenge we see today is when it comes to breaches, the perception of how an organization responded and the communication in the wake of a breach are really what's most critical. So truly working with organizations to alert them of that fact, to get them connected to the right professionals in advance. Certainly, having an incident response team, but also having a communications team that focuses specifically on crisis communications, and having crafted holding statements in advance so that you're not caught off guard if the media gets a hold of a breach. Or maybe you have an employee that tweets out a photo of a piece of destructive malware on one of your systems. These things have all happened. And so organizations really needing to be prepared for that communication strategy, especially as we see more regulation coming on board, which we'll certainly continue to do.

Jason Hiner: What does the industry need to do to better educate not only CIOs but business leaders [and] IT, the people who are on the front lines of this, so that they can be more proactive and not as reactive as we often are today?

Wendi Whitmore: I think that's one of the challenges we see, especially at a big organization like IBM. Our clients, on average, have up to 80 different [security] technologies that they're managing just to do their daily workflow and their job. That can become pretty unsustainable and pretty challenging. And even with all of those technologies in place, the reality is that you could still be breached. So what we're really focusing on is the integration of that ecosystem, and just taking everything up a level in terms of making it easier to deliver these services for our clients--not providing them what I would call homework-based services, where we identify something and then I hand it back to you and say, "Hey, good luck."

But instead, getting to the ability for us to actually remediate systems remotely, to help our clients' organizations stop those breaches as they occur. And I think the industry as a whole is really moving towards that. But there are certainly some challenges with that, so we've got to look at collectively how do we do that, by always keeping the business risk and the business operations first and foremost.

SEE: Source Defense says it has a fix for the one vulnerability that can compromise almost any website

Jason Hiner: What are some examples of companies you feel like have come a long way. [And] if you can't say specific names of companies, where have you seen some really good work done in companies that maybe weren't doing so well, and now have come all the way to the point where they are in great shape, and have learned a lot and are doing a lot?

Wendi Whitmore: As you mentioned, I certainly can't talk about our clients. But one organization I think was very public this year in a really positive way was Maersk. I mentioned the damage they reported in terms of financial loss. But in terms of actually managing a breach and the response and the communication side of it, they are widely seen as a huge success. You have the CEO coming out very proactively in the early hours of a breach saying, "We are having an issue. What I've told all of my staff around the world is that you make decisions based on what's best for our clients."

And to really have that come from the CEO and permeate down to the rest of the organization, you just heard this collective almost sigh of relief that wow, we have an organization that's really stepping out, taking some leadership, doing the right thing for their clients. And you can see that even in some dark hours and days, while they were challenged to operate, they were actually being seen as a success. So I think that's something that many organizations and the rest of us can certainly take note of.

Also see

• How your company can measure its 'cyber resilience' and evaluate its posture
• What's the next stage in cybersecurity? An AI-powered, data-centric model
• Report: 77% of companies don't have a consistent cybersecurity response plan (TechRepublic)
• 5 reasons your employees are a security threat to your business (TechRepublic)
• Why big tech companies have internal emergency response systems (TechRepublic)
• Who are the threat actors responsible for targeting major events? (TechRepublic)
• Never let them see you sweat: Advice from a woman in security (SC Magazine)