The US Securities and Exchange Commission (SEC) recently introduced new rules requiring covered organizations to disclose cybersecurity incidents within four business days of their discovery. The disclosures must describe “the material aspects of the incident's nature, scope, and timing, as well as its material impact.”
From an investor's perspective, this development is positive since cybersecurity incidents can significantly damage a company's finances. But this poses a challenge for organizations: can they manage to provide the necessary details within such a short timeframe? Failing to do so might lead to doubts about the company's transparency and competence, affecting its public image and eroding stakeholder and community confidence.
To address this challenge effectively, the role of audit becomes paramount. In this blog, I will discuss the changes introduced by the new SEC incident disclosure rules, the impacts of those changes on organizations, and how privileged action audits can help organizations achieve confident incident disclosure.
What’s different about the new incident disclosure rules?
Cyber incident disclosure rules are not new. What’s notable about this rule is the requirement that an incident be disclosed so soon after its discovery. Attackers work hard to maintain stealth when they gain a foothold on an organization’s computing systems because they need time to grow their attack. This means that there is often a lag of months between initial compromise and discovery. According to the IBM Security Cost of a Data Breach Report, the average time to identify and contain a breach in 2022 was 277 days (approximately 9 months). By this time, the attacker has their tendrils everywhere.
The process of stopping an attack, understanding the scope of a compromise, cleansing systems of the attacker, and investigating the attack fully requires significant expertise and time. Given the new disclosure rule, I predict that many organizations will be forced to disclose an incident while they are still in the initial phases of discovery.
This becomes an added challenge when organizations attempt to provide stakeholders with the confidence that they have the cyberattack under control. To instill confidence, incident disclosures must be as complete as possible. Would you rather be the organization who says, “We think something really bad may have happened and we’re trying to figure it out,” or the organization who can explain what happened, when it happened, what the impact was, and what’s being done to fix it? A powerful audit capability is required to be able to create a confident disclosure in such a short timeframe.
Why is auditing critical to successfully meeting SEC cybersecurity disclosure rule?
To illustrate how auditing can help organizations overcome their challenges and meet the new SEC cybersecurity incident disclosure rule, let's consider a metaphor.
Why may your organization want a physical safe to protect valuable documents? The most obvious answer is so they can’t be accessed or tampered with. But what about auditing? This benefit isn’t something we usually consider when we buy a safe, but a well-manufactured safe is a great audit tool.
Think about it: in the movies, safe-crackers are usually shown holding a stethoscope against the safe's door, carefully listening to the inner mechanisms to determine the combination. But that's not how modern safecracking works. Today, attackers use tools or even explosives to open a safe (or they may simply steal the entire safe along with its contents!).
Now do you see how a safe is an audit tool?
When things go wrong – when an attacker manages to cut your safe open with a plasma torch – at least you know that you were attacked, you know what was compromised, and you probably have a good idea of when and how it happened. You can explain what was taken, how it was taken, and when it was taken – and you can probably adjust your defenses so it doesn't happen again.
An audit of physical things is straightforward. A safe and its contents are things that we can see and touch. Our brains understand them intuitively. In computing, auditing is trickier because of the complexity and abstraction inherent in computer systems.
Once an attacker gains access to a network, the attack will usually proceed low and slow while the attacker uses the tricks of the trade to move stealthily through the network, all while stealing data or preparing for mischief. Whether the attacker is motivated by data theft, deployment of ransomware, or crippling your ability to operate at the worst possible time, the attacker will hide the evidence that you’ve been compromised for as long as necessary. An attacker may disable, delete, or tamper with logs. Furthermore, advanced attackers take steps to blend in with normal system activity, further hindering discovery, investigation, and response.
The Role of Endpoint Privilege Management in an Audit
To be ready for rapid incident response, audit data must be collected, managed, and available for analysis.
The primary mission of BeyondTrust’s Privilege Management for Unix and Linux is to enforce the principle of least privilege on endpoints by allowing control over privileged activities through flexible privilege elevation policies. But that’s only half of its value. Privilege Management for Unix and Linux is also a powerful tool for collecting a detailed, unimpeachable audit trail of privileged user activity on your Unix and Linux systems.
With Privilege Management for Unix and Linux, every privileged activity is captured and logged on a protected server. Policies can go so far as to specify that certain activities be fully recorded so that every input and output is captured on the audit server – and the audit data can be replicated to on-premise or in-cloud integrations, paving the way for rapid response, regardless of whether the incident was due to a cyberattack or a mistake made by an insider.
Given the new SEC rule mandating swift reporting, organizations must prioritize proactive audit capabilities in the digital realm. The spotlight is on how organizations respond to cyber incidents and communicate their findings. The credibility of a business's incident disclosure is intricately tied to its audit capabilities – something often underestimated but crucial to instilling trust among stakeholders, regulators, and the public.
Click here to learn more about Privilege Management for Unix & Linux’s audit capabilities, or connect with one of our experts today to see how Privilege Management for Unix & Linux can help with your cybersecurity risk management strategy.
Joel Odom, Sr Product Manager at BeyondTrust
Joel Odom is a Senior Product Manager at BeyondTrust, responsible for BeyondTrust’s Endpoint Privilege Management products for Linux. His job is to ensure that BeyondTrust customers have the best possible solution for putting the principal of least privilege into practice, along with a rock-solid capability to audit privileged actions. He routinely works with his fellow Product Managers, Engineering Teams, and the broader security community to ensure the success of the customers using his product. Prior to joining BeyondTrust, Joel lead a security and privacy team at Salesforce, and he led a software assurance research team at the Georgia Tech Research Institute. Joel lives in Marietta, Georgia with his wife. They have three children. When he’s not working or spending time with family, Joel enjoys flying airplanes and writing fiction.