Post-breach investigation: a focus on data

November 9, 2023
Cyrus Tehrani
6 min read

As the cybersecurity landscape reaches new levels of complexity seemingly every day, data breaches have become far too familiar. Organizations are taking action and investing heavily in preventive measures, but breaches still happen.

While data protection measures are crucial before a breach, many of the same processes are equally important after the breach.

The post-breach investigation plays a key role in data protection, and taking a data-centric approach can make all the difference.

What is a post-breach investigation, and what are the leading causes of a breach?

Post-breach investigations are conducted to answer four key questions:

  • How did the cyberattack occur?
  • What data was compromised?
  • Was any data exfiltrated?
  • What was the extent of the damage caused by the attack?

Every organization should have an investigation strategy ready, especially if required by the organization’s executives, industry regulators, or cyber policy adjustors mandated by the insurer (if applicable).

Most cyberattacks begin with a phishing email, but not all breaches are created equal.

The most typical breach methods include:

Ransomware Attacks: The attacker gains access to a network, runs a piece of malware, and escalates access rights. Once inside, they lock or encrypt the files and leave a note with contact and payment information with a promise (which may not be kept) to unlock the files after payment.

Data Exfiltration: The attacker accesses the network, downloads data and either threatens to publicize it or uses it for other attacks.

Email Compromise: A form of phishing, the attacker sends a legitimate-looking email pretending to be a C-suite executive and asks the recipient to transfer a large amount of money to a new account number.

Risky employee behavior: Breaches don’t always stem from attackers. Far too often, employees are exposing company data to risk and loss — via wrong entitlements, risky sharing, inappropriate permissions or unauthorized access.

Taking a data-centric approach to post-breach investigation

Traditional security measures often focus on infrastructure or perimeter defense. But with the rise of cloud-based solutions and the dispersion of data across various platforms, a shift in focus is crucial.

Key to a data-centric approach is understanding data lineage — the process of tracking data as it moves through various stages, from its origin to its final destination.

In the context of a post-breach investigation, having a solid grasp of data lineage can:

  • Identify the exact location or system where the breach occurred
  • Track how and where the breached data traveled, providing insights into the attacker’s methods and objectives
  • Quickly identify and restore affected data, minimizing downtime and operational impact

Benefits of a data-centric post-breach investigation

Improved data protection: By focusing on data activity, organizations can prevent further data loss or exfiltration post-breach.

Compliance: Keep up with regulatory compliance by detecting potential violations, understanding risk posture, and enabling prompt remediation.

Speedy data recovery: In events like a ransomware attack, understanding data lineage can significantly reduce downtime and associated costs.

Three crucial post-breach steps

In the aftermath of a data breach, swift and decisive action is critical. While organizations must deploy numerous post-breach steps, there are three that can be undertaken quickly:

  • Identifying who had access to the compromised data
  • Shutting off that access
  • Viewing the data’s lineage

Here’s why these steps are so vital.

  1. Identifying Who Had Access

Determining who had access to the breached data helps in identifying potential internal threats or risky behavior. It’s essential in differentiating between authorized access and unauthorized or malicious access.

By understanding who had access, organizations can gauge the extent of the breach. Was it limited to a single department, or did it span across multiple teams and geographies?

  1. Shutting Off Access

The first line of defense post-breach is doing damage control to prevent further unauthorized access. By immediately shutting off access, organizations can plug the leaks and stop the continuation of data exfiltration or manipulation.

After a breach is a great time to reassess and tighten access controls to ensure that only necessary personnel have access to sensitive data so potential vulnerabilities can be minimized.

  1. Tracking Data Lineage

Data lineage provides a roadmap of how data has traveled within the organization. In the context of a breach, this can offer insights into how the compromised data was used, changed, or shared.

With a clear view of data lineage, organizations can identify the most recent, uncompromised version of the data, enabling faster recovery and restoration processes.

Data lineage can be instrumental in forensic investigations post-breach. It can help in piecing together the sequence of events leading up to the breach, potentially identifying vulnerabilities or patterns that can help in deploying future security protocols.

How Concentric AI can help with post-breach investigations

Concentric AI helps you discover and remediate risk without writing a single rule.

These three use cases emphasize the critical role Concentric AI can play in helping organizations post-breach.

Forensics and Understanding Data Risk

One of the key strengths of Concentric AI lies in the ability to perform digital forensics by understanding where the data is and its inherent risk. Concentric AI provides visibility into the who, where, and how of your sensitive data. It identifies all the sensitive data in the cloud, from intellectual property to financial to PII/PCI/PHI, without burdening security teams to craft rules or complex policies.

By identifying all sensitive cloud data, whether it’s structured or unstructured, Concentric AI provides a comprehensive view of an organization’s data landscape. This level of visibility is crucial in understanding the cybersecurity risk to systems, assets, data, and capabilities.

Concentric AI’s advanced deep learning technology compares each data element against baseline security practices used by similar datasets. This process allows the system to identify where the data may be at risk, such as sensitive data not being shared in accordance with corporate security guidelines or where access or activity violations are happening quickly.

Rapid Data Recovery in the Event of Ransomware

In the face of a ransomware attack, every second counts. Rapid recovery is crucial. By maintaining a clear understanding of data’s location and lineage, Concentric AI can help organizations quickly identify the affected data and initiate recovery processes. With such rapid response, businesses can significantly reduce downtime and the associated costs of a ransomware attack.

Plus, your SOC analysts get actionable insights to help with response efforts.

Preventing Data Exfiltration

Data exfiltration poses a significant threat to organizations, especially when it comes to events like employee offboarding. Concentric AI helps to mitigate this risk by monitoring data access and sharing. It establishes what data is being shared with whom – whether it’s internal users/groups or external third parties – and tracks data lineage as it moves across the environment.

In the event of abnormal data movement or access patterns, Concentric AI can issue alerts and take remedial action, such as fixing access control issues and permissions or disabling third-party data sharing for a sensitive file that should not be shared. This proactive approach helps to prevent data exfiltration before it occurs, safeguarding the organization’s sensitive information.

The final word

A data breach is undoubtedly challenging for any organization. However, by focusing on access control and understanding data lineage, organizations can navigate the post-breach process with clarity and purpose. The steps discussed here can help with damage control today and lay the foundation for more robust data security measures in the future.

Try Concentric AI with your own data

With Concentric, your organization can:

  • Discover, monitor and protect all data types, including Cloud, on-premises, structured, unstructured, and shared via messaging services
  • Gain a risk-based view of data and users
  • Leverage automated remediation to fix access and activity violations instantly
  • Get actionable insights for response efforts
  • Find risk without rules, formal policies, regex, or end-user involvement
  • Secure API-based SaaS solution with no agents required

Our solution provides agentless integration with numerous cloud products and services.

It’s also so easy to deploy — sign up in 10 minutes and see value in days.


Libero nibh at ultrices torquent litora dictum porta info [email protected]

Getting started is easy

Start connecting your payment with Switch App.