One of the more well-known triads of information security is
the role security has in assuring confidentiality, integrity, and availability
of data [2]. A secondary triad is
generated from these responsibilities: to prevent, detect and respond to malicious
information security events (which we will call, for this paper, “breaches”).
But, where should the focus be? Historically, information security has
invested much of its efforts into the area of breach prevention [4]. I would offer that, in the future, this is
not where security should invest. Let’s
look at the three primary drivers that should drive a shift away from
prevention.
Driver 1: It is not a
matter of “if”, but of “when” a breach will occur
This type of language is becoming much and much more common
in the security discussion [1], [3], [5], [7]. In other words, a breach is
almost certainly going to occur in an organization. In fact, many discussions suggest that all
organizations have been breached, if you count pervasive malware such as bots
have already infected systems in the organization. So, if this is the new landscape for
information security – and prevention systems have and will continually lose
the battle – should the profession (as risk managers) be pushing and pushing
for preventative technology implementations?
In agreement with professionals that sounded off in [4], that there is
too much focus on prevention. Therefore,
I would offer that the focus should be, in such a landscape, on detection and
response. If a breach is inevitable,
given the advances in the threats and the continual proliferation of information
and services in the environment, then let’s improve our detection and response
capability.
Driver 2: The average
breach takes seven months to detect
Articles and news releases from some of the more recent and
prominent data breaches have exposed that, following investigation into the
breach, organizations are finding that attackers had been into the network and
systems for extended periods. Mandiant
reports that the current average time to detect a breach is 7 months [6]. While
the time-to-detection seems to be decreasing (the average time in 2012 was 13
months), that length of time to discovery and response is exacerbating the entire
impact of the breach. With the amount of
time that breaches go unnoticed, the number and types of records climb in their
significance. In addition, Mandiant
reports that the number of organizations that are discovering their own
breaches is down the past few years, meaning that organizations are finding out
from third parties.
Driver 3: Greater financial
and reputational harm comes from larger breaches
Assuming that full breach prevention is not possible,
organizations need to invest in their ability to minimize the scope of the
breach, whether in number of records or type of data. It is commonly known that the larger the
breach, the more significant the financial and reputational impact [4]. Even under some of the most stringent
regulatory conditions, a breach that is well-contained does not require the
organization to make public notification.
The investment in rapid identification and containment of a breach could
provide the financial benefits to the organization that prevention cannot
(again, assuming breaches have and will occur and detection will be slow under
the current state of investment).
Wrapping it up
This document should not be interpreted to say that any and
all investment in preventive capabilities should be abandoned. That is not only irresponsible and
impractical, but probably impossible under most regulatory environments. Instead, this paper challenges the continual
push for prevention with newer technologies that, undoubtedly, will not be able
to succeed in full prevention, and succumb to the fact that breaches will
occur. With that landscape in mind, the
industry should focus on detection and response capabilities that improve the
ability to identify and remediate a breach so that organizational harm is
mitigated. The industry has demanded,
historically, better delivery of preventive capabilities from security
vendors. It is time that the industry
shift and demand improved delivery of detective capabilities so that we can be
ready for what appears to be the inevitable breach.
References
[2] CIA Triad. (2015). WhatIs. Retrieved from http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
[4] Drinkwater, D. (2014). Data breach discovery takes ‘weeks
or months’. SC Magazine. Retrieved from http://www.scmagazineuk.com/data-breach-discovery-takes-weeks-or-months/article/343638/
[6] Mandiant 2014 Threat Report (2014). Mandiant. Retrieved from https://www.mandiant.com/resources/mandiant-reports/
[7] Vries, A. (2015). A data breach…It’s not a matter of if,
but when. Association of Food Industries. Retrieved from http://www.afius.org/page-767462