The Data Breach Counterattack: 3 Ways to Change the Game and Have a Shot at Winning
We have all heard the mantra repeated by every security professional that there are two types of companies out there—those that have been breached and those that do not know they have been breached. Taking a quick glance at the headlines each week seems to support this notion and adds fuel to the fire that cybersecurity is a losing proposition and that despite what our teams do to protect customer and corporate information, we are just waging a losing battle.
Constantly repeating this mantra seems a bit ‘defeatist’ to me.
If there is no chance for success, then why keep doing what we are doing? Should we continue to implement programs that follow a construct that has kinks in its armor? Why continue to just sit there and watch an attacker take your company’s information? Why continue to accept less-than-sufficient controls from the cybersecurity industry?
In order to successfully protect our customers’ data and trust, each of these questions must be considered. Having a winning team and enabling your company to reach business success can only be achieved by tackling this topic head-on. If we cannot win per se given the current rules, then we might need to change the game a bit to have a better chance at winning.
So, here are three things that we should all consider:
1. Focus on Preventing Exfiltration
If it is impossible to prevent infiltration of our environments, then we should focus more time, money, tactics, and people on what really matters—preventing the exfiltration of sensitive data. Dollar for dollar we are placing our money and resources on watching the perimeter and trying to keep bad actors out of an expanding network of private and cloud locations. Meanwhile, our patch cycles are still too long, our technology imperfect at blocking, our attack surface is getting larger, and our colleagues ever more inquisitive about that email or link they have to click on (and really should not). If we continue down this path we will keep missing the root cause of the harm—the actual exfiltration of data from our possession and control.
In many cases, without the exfiltration or acquisition of information, there is no triggering of reporting clauses under state or federal data breach statutes
In many cases, without the exfiltration or acquisition of information (including viewing the data on company servers), there is no triggering of reporting clauses under state or federal data breach statutes. This point is key because many of the harms associated with a data breach are reputational because of the requirement to provide notification for improper data exfiltration or access. Breaking this chain by stopping exfiltration is essential.
Am I saying we stop using firewalls, IDS, IPS and other controls? No, implemented correctly, these controls can reduce the low-level and mid-level threats from causing harm to the company. For an advanced and persistent adversary however, automation and advanced analytics come into play.
2. Automation & Advanced Analytics
We need to implement technology beyond data loss prevention (DLP) software that actively seeks to identify, through machine learning or automation of key indicators, when and where our company’s data is flowing, and use algorithms to determine if these actions should or should not occur.
After a breach, humans are able to identify data flowing to locations where the data should not be traveling or via means or ports that it should not be traveling on. However, the ability to do this in real-time and 24x7 has not been achieved by security teams and organizations. The only way to tackle this problem based on existing data is to learn the business, understand the data, and determine whether something should or should not be happening in a way that does not generate thousands or millions of alerts that get turned off. We can do better here by developing and designing our own controls that learn the systems we operate and the businesses we are in, or leverage new(er) technologies that seek to accomplish the same end goals.
Furthermore, we cannot ignore the people who comprise our teams. Instead of having team members chase tickets, alerts, or respond to false alarms, we should be organizing our teams to perform active hunting through our environments looking for bad actors. This proactive hunting can be achieved manually, but what better way for machines to “learn” how to negotiate a multi-tier and vast network than to watch hacker-hunters (our people) make decisions as they hunt for signs and indicators of compromise.
Delivering solutions that take the best of machine learning, algorithmic anomalies, and other pattern-matching indicators, and reserving a seat for these tools on our security teams is the next disruptive technology for cybersecurity. The disruptor beyond that one is self-healing systems, but let’s stop the bleeding first.
3. Following Compliance Rules, but Focusing on Winning with Newer Controls
How do we implement newer controls, adjust our focus from controls that are less effective, and still do business?
Security leaders often encounter the request for antiquated controls in contracts or procurement processes that have proven less than effective at preventing certain harms. This can be frustrating at times and those of us who are involved in these negotiations can only hope the person across from us—learning that their compliance manual was written 10 years ago on a law that was passed 10 years before that—will accept a different control for mitigating the same risk.
Making sure we achieve and exhibit compliance is critical to landing and maintaining contracts and business relationships. Making sure our teams are constantly responding to new threats with innovative and disruptive technologies aimed at greater certainty of preventing the underlying harm is the only way we will be able to achieve success and ensure the trust of our customers.
It is imperative that security professionals collaborate with industry, compliance, privacy and legal partners to implement the controls and processes more likely to keep pace with the changing cybersecurity threat matrix. Let’s stop repeating the data breach mantra.