Defenders Take the Higher Ground
Attackers are getting faster, and we seem to be perpetually stuck just trying to keep up. The highly-regarded 2016 Verizon Data Breach investigations Report (DBIR) was released last week and it confirmed with data what many of us already feel — we are not winning.
The report found that in nearly all breaches (92.9%), it took attackers minutes or less to compromise the system. And, most of the time, they were able to exfiltrate data within days (67%), if not minutes (21%). Yet, in stark contrast, less than 25 percent of breaches were discovered in days or less. Worse yet, the gap between these two numbers is growing. In fact, the victims don’t even discover most of the breaches, but more often learn that an attack has occurred only after being notified by external parties, such as law enforcement.
This news may be especially disconcerting to companies that have steadily increased their spending on cybersecurity technologies and tools. Our co-founder, Dave Cullinane, refers to this as the cybersecurity vortex, a vicious cycle of spending fueled by increasing threats, yet with little evidence of return.
The Verizon DBIR is one of the most-often cited reports in our industry and perhaps the most comprehensive look at cybersecurity incident details available. This year it examines over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries. It is required reading. And yes, it is marketing fodder for vendors. But its real value is that it sheds light into what our attackers were doing. It provides insight into who was attacking, who was being attacked, what they were taking, and maybe most importantly, how they did it. Security leaders can use the report to identify the most likely paths for an attack, recalibrate security programs and mitigations, and support requests for budget to address shortcomings.
“Be Prepared: Forewarned is Forearmed…. Playing a part on the blue team in information security can, to a very small degree, be compared to the lot of a hapless soldier. The soldier is told to guard a certain hill and to keep it at all costs. However, he is not told who his enemy may be, what they look like, where they are coming from, or when (or how) they are likely to strike.”
— Verizon 2016 Data Breach Investigations Report (Page 6)
Of course, the DBIR is built around attacks that have already happened and can only tell us what our adversaries were doing — and that may not be what they are doing now. To be clear, this does not in any way diminish its value. But imagine if you had a more current view of attacks underway. This year’s DBIR found that attackers stick to what works and take a spray and pray approach in going after their targets. The evidence indicates that attack information exists, but only in silos of various organizations. What if we could exchange incident information on this scale about attacks as they are in progress? What could you do with that information?
I’ve often talked about a need for security teams to gain the higher ground. We need to be able to see what our adversaries are doing if we want to reclaim the advantage. This data exists; it just simply isn’t accessible quickly enough to be useful as part of our incident response effort. But this is changing.
There is no one technology or practice that will solve the cybersecurity challenge. The Verizon DBIR illustrates the breadth of the attacks faced across all industries and the difficulties and complexities faced by security operations teams. But, we can begin to close the gap with our adversaries if we start to exchange incident information in real-time and respond to attacks collaboratively. The technology is advancing, the legal climate is changing, and the opportunity to gain higher ground is here.
