Managing the Inevitable Cyber Losses

There have been many breaches recently in each of which tens of millions of Americans have had their person information compromised.  New ones are all too frequent.   And in several of the most notorious recent cases, months and even years have elapsed before the breach was discovered and dealt with.  The attackers are evolving new threats faster than defenders are reacting – and to some extent faster than they can react in today’s world. 

We can draw three conclusions from this trend. 

First, since it appears highly likely that this tide of personal-information disclosures will continue, organizations must become much better at incident response.  It seems that the information security profession has placed higher priority and put more resources into prevention and detection – especially in technology – than in incident response.  One can speculate why this would be so, but the fact remains that the magnitude of loss increases with the time taken to effectively respond.  Therefore, since breaches will remain inevitable for the foreseeable future, the key to managing the magnitude of the losses is to respond rapidly and effectively.  If you can’t prevent holes in the boat, at least plug them fast.

Second, we have to become much better at detection.  This means not only detecting a breach or intrusion that has already occurred, but also detecting its precursor events.  Thanks to Lockheed-Martin’s application of kill-chain analysis to cyber breaches, we now understand more clearly that exfiltration of data is a multi-phase affair that requires success in several steps in sequence, and therefore may take weeks or months to pull off.  This gives the defender two advantages, the advantage of multiple ways defend against and multiple ways to defeat an attack, and the advantage of time to do so.  But that depends on an ability to detect anomalous events when they occur, as well as on an effective capacity to respond quickly.  So organizations must become better at detecting anomalous events.  But crucially “detection” does not stop with some piece of technology logging an event or even firing off an alert.  A person has to make a determination that “We got a problem here, Houston,” and get resources dispatched to deal with it.

This brings us to the final point.  Detection and logging systems are famously inundated with thousands or millions of false positives and irrelevant alerts for low-level threats.  This situation is made to order for susceptibility to well-known human failings of inattention and fatigue.  It is a mystery why, in a profession and an industry so imbued with technology, better technology is not available to dramatically increase the signal-to-noise ratio, and do it cheaply (which means it cannot depend on having expensive security engineers continuously tweaking rules). 

Here are some action take-aways:

1.       CISOs:  Review and test your incident response plans.  Does your IR plan address the highest-priority threat scenarios?  Try exercising it on “garden-variety” incidents, like lost laptops, to see if it works and how it can be improved.  Hold at least a table-top test once a year.

2.       CIOs and CISOs:  Review the balance between investments in security technology (SIEMs and IDPSs for example) and the funding for their effective use once they are installed.  Do not fall victim to the set-and-forget fallacy in which, once a system is installed, one thinks “well, that problem is solved now.”  Do you have capable staff assigned to manage the technology, and do they have the training, the time, and the management expectation to do the job?

3.       Security technology suppliers:  Create products and services for your customers to initially configure their detection devices with good starter sets of filtering rules and keep them updated frequently.  IDPS operators should be able to get updates at least daily to threat signatures discovered by, at least, all owners of similar equipment, but ideally the entire security community.

4.       Legislators, staff aides, and policy analysts:  Give us laws that protect organizations, especially corporations, from liability if they contribute threat signatures to a common repository.  The low-bandwidth, high-latency sharing of information security knowledge that occurs in conferences and white papers is fine, but it needs to be complemented with daily operational updates.  If a small but critical mass of organizations contributed in near-real-time to a common repository of threat signatures that was available to all, the time from threat discovery to effective defense could be dramatically reduced.  This is one way to turn the asymmetry of the threat against the attackers.