In-depth

Data security: is breach mitigation all that's left?

If you accept the premise that it's inevitable your enterprise network will be attacked, and most likely breached, then is mitigation really where the IT security focus should be? Davey Winder investigates...

security on computer

COMMENT: I was recently talking to someone who brute forced a BT Business Hub, the sort used by hundreds of thousands of businesses across the UK, using hardware costing less than 35 and it supposedly took him less than 48 hours to crack the 10 character default WPA key.

Advertisement - Article continues below

Invest just a little more money and that timescale starts to look like an absolute age. The truth is that it's a lot easier than you may imagine to breach the network perimeter these days, and if an attacker is determined enough then the chances are they will succeed.

Iit's better to assume your organisation has already been compromised and develop defences based around that assumption.

Even large corporates can fall foul of the weakest link scenario, with the hacker following a likely looking 'suit' home and cracking the most likely default Wi-Fi router encryption. From here it's a relatively simple journey to the machine they have attached to the corporate VPN.

"All organisations are susceptible to being breached and anything contrary to that fact is false," claims Marcus Carey, a security researcher at Rapid7. "It is impossible to eliminate all risk when it comes to network security." IT security is all about minimising the risk level through the use of defence in-depth strategies and incident response plans: detect and destroy is the motto of the day.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

So is it right to suggest, as I have done in the introduction to this piece, that a network breach is all but inevitable? Perhaps unsurprisingly opinion is divided on this one. Wade Baker, director of risk intelligence at Verizon, reckons that taking such a view is "unhelpful at best" and points out that "97 per cent of the attacks analysed in the 2012 Verizon Data Breach Investigation Report were avoidable, without the need for organisations to resort to difficult or expensive countermeasures."

He does, however, admit that the security industry has long been guilty of placing the emphasis on prevention and not enough into detection and response. "Risk mitigation implies companies assume an almost passive role, checking no alarms have been tripped and watching who is trying to climb over the walls," Baker insists, concluding "I would suggest that we need agile security teams that can take a proactive role and not only monitor external attacks, but also gain visibility of what is going on inside the network to check no one has sneaked past defences."

Advertisement - Article continues below

Darien Kindlund, senior staff scientist at security specialist FireEye, is succinct in his disagreement. "In fact, it's better to assume your organisation has already been compromised and develop defences based around that assumption," he told IT Pro. "You will be less surprised and better prepared, accordingly".

Or, as Arun Sood from SCIT Labs puts it: "The current cyber security approaches rely on prior knowledge of the vulnerabilities and the threats. However, the current approaches are in-adequate. Ensuring reliable and accurate knowledge of the vulnerabilities and the attacker, is impossible - there are far too many threads to track at any one time. Attempts at increasing probability of detection leads to rapid increase in false positives and thus security operations costs. Thus we believe that intrusions are inevitable. Mitigation strategies are required for limiting the losses".

Advertisement
Advertisement - Article continues below

Dead duck security?

But if the mitigation argument holds up, where does that leave attack prevention? Is it really pointless to try and prevent a breach, and should resources therefore be focused on containment instead? Filippo Cassini, vice president of International Systems Engineering at Fortinet, certainly doesn't hold with the 'pointless' argument, suggesting that leaving prevention out of the equation "would be like taking away seat belts from a car because we have airbags." Or as

Advertisement - Article continues below

Kevin Dowd, CEO at CNS says "surviving an advanced and sustained attack would be difficult for many businesses, but that doesn't mean they should give up." Indeed, he believes they should have counter measures in place that make an attack too challenging in terms of the resources needed. "This is where most businesses could do better," Dowd insists. "Often, SMEs think that they are too small or not visible enough to be a target."

Consequently, detective capabilities are often weak, the Verizon 2012 Data Breach Investigations Report found that 92 per cent of incidents were discovered by a third party, and businesses end up developing their security strategy under duress.

Mitigating post-hack is more difficult and expensive. "We estimate that every pound spent up front on security measures is worth ten pounds after a breach, when businesses can be faced with high emergency response rates and consultants on site for longer than would have previously have been necessary," Dowd adds.

Advertisement - Article continues below

Much of this can be mitigated into oblivion by getting rid of the sensitive data in the first place - by out sourcing payments so as to avoid holding card data, for example - and improving the governance structure.

In conclusion

It's all very well talking about mitigation in terms of containment and analysis, but this whole argument surely stands or falls on whether the breach itself is detected in a timely fashion. I would argue that, in far too many instances, detection doesn't happen until weeks after the breach event itself and sometimes those weeks can run into months.

Verizon's Baker told me that amongst the more advanced attacks he has investigated, such as those which target intellectual property, which are difficult to spot "many take a year or more to pinpoint, and we suspect that many more are simply never discovered by the victim."

I'm not suggesting that breach mitigation is a red herring, and it's certainly no dead duck either, but for mitigation strategy to work successfully it has to be coupled with effective real-time breach detection technology to prevent data loss.

Advertisement - Article continues below

"To be successful in attack mitigation you need to firstly, understand what's happening and then target your resources appropriately to contain and eradicate the threat," says Don Smith, director of technology at Dell SecureWorks, who warns that learning from your mistakes is a vital link in the chain and one that reactive mitigation alone is unlikely to forge.

"If your focus is always on reacting to successful breaches you are going to be the easiest target and will be breached a lot," Smith says. "You need to focus on prevention, monitoring and how you successfully respond to a breach, not spend all your time looking at the past."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/data-breaches/355056/vpnmentors-web-mapping-project-finds-more-exposed-military-files-via
data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020
Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/back-up/29084/how-to-enhance-your-backup-strategy
backup

How to enhance your backup strategy

27 Feb 2020

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020