Time to Shift Focus to Detection and Response

One of the more well-known triads of information security is the role security has in assuring confidentiality, integrity, and availability of data [2].  A secondary triad is generated from these responsibilities: to prevent, detect and respond to malicious information security events (which we will call, for this paper, “breaches”).

But, where should the focus be?  Historically, information security has invested much of its efforts into the area of breach prevention [4].  I would offer that, in the future, this is not where security should invest.  Let’s look at the three primary drivers that should drive a shift away from prevention.

Driver 1: It is not a matter of “if”, but of “when” a breach will occur

This type of language is becoming much and much more common in the security discussion [1], [3], [5], [7]. In other words, a breach is almost certainly going to occur in an organization.  In fact, many discussions suggest that all organizations have been breached, if you count pervasive malware such as bots have already infected systems in the organization.  So, if this is the new landscape for information security – and prevention systems have and will continually lose the battle – should the profession (as risk managers) be pushing and pushing for preventative technology implementations?  In agreement with professionals that sounded off in [4], that there is too much focus on prevention.  Therefore, I would offer that the focus should be, in such a landscape, on detection and response.  If a breach is inevitable, given the advances in the threats and the continual proliferation of information and services in the environment, then let’s improve our detection and response capability.

Driver 2: The average breach takes seven months to detect

Articles and news releases from some of the more recent and prominent data breaches have exposed that, following investigation into the breach, organizations are finding that attackers had been into the network and systems for extended periods.  Mandiant reports that the current average time to detect a breach is 7 months [6]. While the time-to-detection seems to be decreasing (the average time in 2012 was 13 months), that length of time to discovery and response is exacerbating the entire impact of the breach.  With the amount of time that breaches go unnoticed, the number and types of records climb in their significance.  In addition, Mandiant reports that the number of organizations that are discovering their own breaches is down the past few years, meaning that organizations are finding out from third parties.

Driver 3: Greater financial and reputational harm comes from larger breaches

Assuming that full breach prevention is not possible, organizations need to invest in their ability to minimize the scope of the breach, whether in number of records or type of data.  It is commonly known that the larger the breach, the more significant the financial and reputational impact [4].  Even under some of the most stringent regulatory conditions, a breach that is well-contained does not require the organization to make public notification.  The investment in rapid identification and containment of a breach could provide the financial benefits to the organization that prevention cannot (again, assuming breaches have and will occur and detection will be slow under the current state of investment).

Wrapping it up

This document should not be interpreted to say that any and all investment in preventive capabilities should be abandoned.  That is not only irresponsible and impractical, but probably impossible under most regulatory environments.  Instead, this paper challenges the continual push for prevention with newer technologies that, undoubtedly, will not be able to succeed in full prevention, and succumb to the fact that breaches will occur.  With that landscape in mind, the industry should focus on detection and response capabilities that improve the ability to identify and remediate a breach so that organizational harm is mitigated.  The industry has demanded, historically, better delivery of preventive capabilities from security vendors.  It is time that the industry shift and demand improved delivery of detective capabilities so that we can be ready for what appears to be the inevitable breach.

References

[1] Be prepared for a data breach – it’s not a matter of ‘if’ but ‘when’. (2014). Information Security Buzz. Retrieved from http://www.informationsecuritybuzz.com/prepared-data-breach-matter/

[2] CIA Triad. (2015). WhatIs. Retrieved from http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

[3] Cyber security breach: It’s not a matter of if, but when. (2014). Professional Risk. Retrieved from http://profrisk.com/2014/05/14/cyber-security-breach-its-not-a-matter-of-if-but-when/

[4] Drinkwater, D. (2014). Data breach discovery takes ‘weeks or months’. SC Magazine. Retrieved from http://www.scmagazineuk.com/data-breach-discovery-takes-weeks-or-months/article/343638/

[5] Lord, N. (2014). Data breach experts share the most important next step you should take after a data breach in 2014 – 2015 & beyond. Digital Guardian. Retrieved from https://digitalguardian.com/blog/data-breach-experts-share-most-important-next-step-you-should-take-after-data-breach-2014-2015

[6] Mandiant 2014 Threat Report (2014). Mandiant.  Retrieved from https://www.mandiant.com/resources/mandiant-reports/

[7] Vries, A. (2015). A data breach…It’s not a matter of if, but when. Association of Food Industries. Retrieved from http://www.afius.org/page-767462