Data security: is breach mitigation all that's left?
If you accept the premise that it's inevitable your enterprise network will be attacked, and most likely breached, then is mitigation really where the IT security focus should be? Davey Winder investigates...
COMMENT: I was recently talking to someone who brute forced a BT Business Hub, the sort used by hundreds of thousands of businesses across the UK, using hardware costing less than 35 and it supposedly took him less than 48 hours to crack the 10 character default WPA key.
Invest just a little more money and that timescale starts to look like an absolute age. The truth is that it's a lot easier than you may imagine to breach the network perimeter these days, and if an attacker is determined enough then the chances are they will succeed.
Iit's better to assume your organisation has already been compromised and develop defences based around that assumption.
Even large corporates can fall foul of the weakest link scenario, with the hacker following a likely looking 'suit' home and cracking the most likely default Wi-Fi router encryption. From here it's a relatively simple journey to the machine they have attached to the corporate VPN.
"All organisations are susceptible to being breached and anything contrary to that fact is false," claims Marcus Carey, a security researcher at Rapid7. "It is impossible to eliminate all risk when it comes to network security." IT security is all about minimising the risk level through the use of defence in-depth strategies and incident response plans: detect and destroy is the motto of the day.
So is it right to suggest, as I have done in the introduction to this piece, that a network breach is all but inevitable? Perhaps unsurprisingly opinion is divided on this one. Wade Baker, director of risk intelligence at Verizon, reckons that taking such a view is "unhelpful at best" and points out that "97 per cent of the attacks analysed in the 2012 Verizon Data Breach Investigation Report were avoidable, without the need for organisations to resort to difficult or expensive countermeasures."
He does, however, admit that the security industry has long been guilty of placing the emphasis on prevention and not enough into detection and response. "Risk mitigation implies companies assume an almost passive role, checking no alarms have been tripped and watching who is trying to climb over the walls," Baker insists, concluding "I would suggest that we need agile security teams that can take a proactive role and not only monitor external attacks, but also gain visibility of what is going on inside the network to check no one has sneaked past defences."
Darien Kindlund, senior staff scientist at security specialist FireEye, is succinct in his disagreement. "In fact, it's better to assume your organisation has already been compromised and develop defences based around that assumption," he told IT Pro. "You will be less surprised and better prepared, accordingly".
Or, as Arun Sood from SCIT Labs puts it: "The current cyber security approaches rely on prior knowledge of the vulnerabilities and the threats. However, the current approaches are in-adequate. Ensuring reliable and accurate knowledge of the vulnerabilities and the attacker, is impossible - there are far too many threads to track at any one time. Attempts at increasing probability of detection leads to rapid increase in false positives and thus security operations costs. Thus we believe that intrusions are inevitable. Mitigation strategies are required for limiting the losses".
Dead duck security?
But if the mitigation argument holds up, where does that leave attack prevention? Is it really pointless to try and prevent a breach, and should resources therefore be focused on containment instead? Filippo Cassini, vice president of International Systems Engineering at Fortinet, certainly doesn't hold with the 'pointless' argument, suggesting that leaving prevention out of the equation "would be like taking away seat belts from a car because we have airbags." Or as
Kevin Dowd, CEO at CNS says "surviving an advanced and sustained attack would be difficult for many businesses, but that doesn't mean they should give up." Indeed, he believes they should have counter measures in place that make an attack too challenging in terms of the resources needed. "This is where most businesses could do better," Dowd insists. "Often, SMEs think that they are too small or not visible enough to be a target."
Consequently, detective capabilities are often weak, the Verizon 2012 Data Breach Investigations Report found that 92 per cent of incidents were discovered by a third party, and businesses end up developing their security strategy under duress.
Mitigating post-hack is more difficult and expensive. "We estimate that every pound spent up front on security measures is worth ten pounds after a breach, when businesses can be faced with high emergency response rates and consultants on site for longer than would have previously have been necessary," Dowd adds.
Much of this can be mitigated into oblivion by getting rid of the sensitive data in the first place - by out sourcing payments so as to avoid holding card data, for example - and improving the governance structure.
It's all very well talking about mitigation in terms of containment and analysis, but this whole argument surely stands or falls on whether the breach itself is detected in a timely fashion. I would argue that, in far too many instances, detection doesn't happen until weeks after the breach event itself and sometimes those weeks can run into months.
Verizon's Baker told me that amongst the more advanced attacks he has investigated, such as those which target intellectual property, which are difficult to spot "many take a year or more to pinpoint, and we suspect that many more are simply never discovered by the victim."
I'm not suggesting that breach mitigation is a red herring, and it's certainly no dead duck either, but for mitigation strategy to work successfully it has to be coupled with effective real-time breach detection technology to prevent data loss.
"To be successful in attack mitigation you need to firstly, understand what's happening and then target your resources appropriately to contain and eradicate the threat," says Don Smith, director of technology at Dell SecureWorks, who warns that learning from your mistakes is a vital link in the chain and one that reactive mitigation alone is unlikely to forge.
"If your focus is always on reacting to successful breaches you are going to be the easiest target and will be breached a lot," Smith says. "You need to focus on prevention, monitoring and how you successfully respond to a breach, not spend all your time looking at the past."
The state of Salesforce: Future of business
Three articles that look forward into the changing state of Salesforce and the future of businessFree Download
The mighty struggle to migrate SAP to the cloud may be over
A simplified and unified approach to delivering Enterprise Transformation in the cloudFree Download
The business value of the transformative mainframe
Modernising on the mainframeFree Download
The Total Economic Impact™ Of IBM FlashSystem
Cost savings and business benefits enabled by FlashSystemFree Download