There have
been many breaches recently in each of which tens of millions of Americans have
had their person information compromised.
New ones are all too frequent. And in several of the most notorious recent
cases, months and even years have elapsed before the breach was discovered and
dealt with. The attackers are evolving
new threats faster than defenders are reacting – and to some extent faster than
they can react in today’s world.
We can draw
three conclusions from this trend.
First, since
it appears highly likely that this tide of personal-information disclosures
will continue, organizations
must become much better at incident response. It seems that the information security profession
has placed higher priority and put more resources into prevention and detection
– especially in technology – than in incident response. One can speculate why this would be so, but
the fact remains that the magnitude of loss increases with the time taken to
effectively respond. Therefore, since
breaches will remain inevitable for the foreseeable future, the key to managing
the magnitude of the losses is to respond rapidly and effectively. If you can’t prevent holes in the boat, at
least plug them fast.
Second, we
have to become much better at detection. This means not only detecting a breach or
intrusion that has already occurred, but also detecting its precursor
events. Thanks to Lockheed-Martin’s application
of kill-chain analysis to cyber breaches, we now understand more clearly that exfiltration
of data is a multi-phase affair that requires success in several steps in sequence, and therefore may take weeks or months to pull off. This gives the defender two advantages, the
advantage of multiple ways defend against and multiple ways to defeat an attack, and
the advantage of time to do so. But that
depends on an ability to detect anomalous events when they occur, as well as on
an effective capacity to respond quickly.
So organizations must become better at detecting anomalous events. But crucially “detection” does not stop with some
piece of technology logging an event or even firing off an alert. A person has to make a determination that “We
got a problem here, Houston,” and get resources dispatched to deal with it.
This brings
us to the final point. Detection and
logging systems are famously inundated with thousands or millions of false
positives and irrelevant alerts for low-level threats. This situation is made to order for
susceptibility to well-known human failings of inattention and fatigue. It is a mystery why, in a profession and an
industry so imbued with technology, better technology is not available to
dramatically increase the signal-to-noise ratio, and do it cheaply (which means
it cannot depend on having expensive security engineers continuously tweaking rules).
Here are
some action take-aways:
1.
CISOs:
Review and test your incident response plans. Does your IR plan address the
highest-priority threat scenarios? Try
exercising it on “garden-variety” incidents, like lost laptops, to see if it
works and how it can be improved. Hold
at least a table-top test once a year.
2.
CIOs and CISOs:
Review the balance between investments in security technology (SIEMs and
IDPSs for example) and the funding for their effective use once they are
installed. Do not fall victim to the
set-and-forget fallacy in which, once a system is installed, one thinks “well,
that problem is solved now.” Do you have
capable staff assigned to manage the technology, and do they have the training,
the time, and the management expectation to do the job?
3.
Security technology suppliers: Create products and services for your
customers to initially configure their detection devices with good starter sets
of filtering rules and keep them updated frequently. IDPS operators should be able to get updates
at least daily to threat signatures discovered by, at least, all owners of
similar equipment, but ideally the entire security community.
4.
Legislators, staff aides, and policy
analysts: Give us laws that protect organizations,
especially corporations, from liability if they contribute threat signatures to
a common repository. The low-bandwidth,
high-latency sharing of information security knowledge that occurs in conferences
and white papers is fine, but it needs to be complemented with daily
operational updates. If a small but
critical mass of organizations contributed in near-real-time to a common repository of threat
signatures that was available to all, the time from threat discovery to
effective defense could be dramatically reduced. This is one way to turn the asymmetry of the
threat against the attackers.
