Anyone well versed in cybersecurity is familiar with the parameters of incident response. Following a data breach or other incident, the attack vector and affected systems are identified, the holes are plugged, and a forensic examination takes place.
If it’s a major incident that makes headlines, say a data breach at a Fortune 500 company or a top U.S. government agency, then some of the big guns in incident response — Mandiant, CrowdStrike, etc. — may be brought in to investigate.
Less glamorous, but arguably just as important, is the post-incident response. This isn’t about better defending the targeted organization, remediating flaws or preventing future incidents.
Instead, it’s about determining what kind of data may have been stolen or compromised, especially personally identifiable information (PII) and personal health information (PHI). It also involves compiling lists of the affected parties, clients and individuals to be notified.
“We operate in a niche space in breach response,” explains Stephen Kennedy, Director of Client Services, Managed Review, and Cyber Incident Response Services at Conduent, provider of digital business solutions and services spanning the commercial, government and transportation spectrum. “Typically, we come in after the breach has been contained, identified, and mitigated. We handle the human element of the response.”
It’s not quite cybersecurity
Conduent’s post-incident response services touch upon cybersecurity, but the company is adamant that it’s not in the same line of work as the forensic experts who try to figure out how attackers penetrated a network.
“We swim in that same ecosystem, but we would never market ourselves as a cybersecurity company,” says Kennedy. “If you said to me, ‘Steve, here’s a system. Go look at and tell me how these guys got in,’ I wouldn’t even pretend to know where to go with that. That’s not what we do.”
Conduent was spun out of Xerox’s Business Services division in 2017, and its core mission is still providing digital services, especially data-processing services, to organizations in a dozen different industries, including banking, government and healthcare.
The post-incident response team is part of Conduent’s Legal, Compliance and Analytics division. One of the division’s core competencies is eDiscovery, or electronic discovery — the process of sifting through mountains of electronic data to find evidence pertaining to litigation, investigations or other legal matters.
“What we bring to the table that other companies don’t,” Kennedy says, “is a bespoke solution informed by the business that we’ve been in for decades, which is eDiscovery.”
What post-incident response is
While eDiscovery is a core part of litigation preparation, the process is also tremendously helpful if you’re trying to determine which of the thousands or millions of documents and other electronic records compromised in a cybersecurity incident might contain sensitive or personal data — Social Security numbers, health records, credit-card numbers, and so forth.
That process is the greater part of post-incident response.
“Data culling, minimizing data, reducing what a review team would look at in traditional litigation — those same techniques can be applied here,” says Kennedy. “Eliminating the white noise, eliminating documents, things that are not going to contain PII, PHI, other sensitive information.”
Conduent calls its post-incident response service CyberMine and breaks the process down into three parts.
First, after the compromised data has been identified and segregated, it is handed off by the client, or the external incident-response company, or the client’s insurance carrier, or even a specialized firm called a breach coach to Conduent to be analyzed and mined.
“We don’t even know the full details because, for obvious reasons, clients don’t want to give that information out, and we don’t need it to do our bit,” says Kennedy.
“Once they’ve identified what’s been hit, they send us the data, and we can tell you whether there’s three hundred people or one thousand people or a million people, where they lived, and as much of their information, unfortunately, as is in in that data set.”
Credit: Conduent
Any “responsive” data such as credit card numbers, Social Security numbers, full names, dates of birth and health records then will be extracted and presented to the client. One of the aims of Conduent’s post-incident analysis is to avoid duplication and minimize the amount of significant information to be acted upon.
“We do a lot of sampling of data, taking that those findings back to a client, and continuing to do that process, because ultimately, we want to have people look at as little as possible,” says Kennedy.
Minimizing the data also helps the clients save money, he adds, relating the case study of a client that began with 4 million records that Conduent pared down to 15,000 relevant ones.
“We probably saved them close to half a million dollars by taking that approach, ” he says. “There’s no great benefit to us other than doing what was right for the client, which is always the goal.”
Once the data has been thoroughly analyzed, Conduent can create an “entity list” of the affected parties, whom the client then notifies. Kennedy told us that artificial intelligence is now being used to compile those notification lists.
“We can feed it addresses, and it can do matching, and it does a lot of the work that we need to do to get that list down to where it’s manageable and as accurate as possible,” he says. “We often see cases where we’ll collect 20 million names, 20 million lines of data in total, and there ends up being 200,000 people from those 20 million names because there’s so much repetition in the process.”
The role of automation
Wrestling with huge amounts of data is partly automated through the use of an eDiscovery tool Conduent has called Viewpoint, which uses industry-standard technology assisted review (TAR) and computer assisted learning (CAL) process to quickly rip through large datasets.
Kennedy explains that CAL watches the determinations made by human reviewers about whether certain types of information — says, nine-digit strings that could be Social Security numbers — in a small amount of data are significant and should be extracted.
It then extrapolates those rules on larger amounts of data so that significant bits of information can be quickly found, ranking its discoveries in order of likely importance. Of course, “quickly” can be a relative term.
“You can imagine what an Excel file with millions of rows of data — how long does it take to run a filter on a 5 million rows?” says Kennedy. “Sometimes that will run for hours, just handling those aspects of the data.”
However, clients’ legal teams are often suspicious of CAL and other forms of automation, because there’s a risk it might have missed something.
“You don’t want to get up to the judge and say, ‘Well, we didn’t produce the smoking gun because the computer algorithm said we didn’t need to.’ That’s not usually not going to go over very well,” Kennedy says. “What a lot of people do now is they use it just to rank data. We’ll look at the responsive stuff first, and then the other stuff towards the end.”
It’s also not always the size of the dataset that matters. Small datasets can be significant.
“A small volume of data does not necessarily mean a small impact,” he tells us. “If you have someone get the right Excel spreadsheets with all your clients and all of their information in it, it can be still quite extensive and expensive, even though it’s a fairly small dataset.”
Slower is sometimes better
Because of the increasing number of rules and regulations surrounding data breaches and other incidents, such as the U.S. Security and Exchange Commission’s four-day notification rule for “material” incidents, post-incident response has bearing upon compliance.
But, Kennedy warns, you have to be careful with the terminology used.
“‘Breach’ is a real term of art,” he says. “If someone breaks into your house and walks from the front door to the back door and doesn’t take anything, is that a breach? I don’t want to weigh in one way or the other, but there are lawyers in New York making $3,000 an hour who will be happy to spend 20 hours to answer that question.”
“That’s why we use POST incident,” he adds. “Because incident is, ‘It’s an incident.’ There’s lots of incidents. Not all of them are breaches.”
Does that mean that Conduent is going to rush through its data analysis to get the final results to the clients as fast as possible?
No, says Kennedy, because taking it slowly and deliberately gives you a better view of the data, and involving the client throughout every step of the process often yields better results.
“This can be a very frenetic business where things are happening very quickly, and there’s tight deadlines,” he says. “But sometimes just if you slow down a bit, think, plan, prepare and then execute, the benefits can be really tangible.”
© Copyright 2024 CNB Tel. All rights reserved