Skip to content

The Ostrich Effect

March 8, 2011

While it may be a myth that ostriches stick their heads in the sand to avoid danger, the unfortunate fact is that myth has a sad real-world analog: organizations that do nothing — or just as poorly, too little – to protect their critical data, including data on their customers.

Today’s rant comes courtesy of the Ponemon Institute’s sixth annual US Cost of a Data Breach Study, which this year pegs the average cost of a data breach at a whopping $268 per compromised data record — a new all-time high.  Of course, as is accepted belief in the information security community, there’s no such thing as 100% secure; the fact is that data breaches will continue, even for the most well-protected organizations and infrastructure.  No, what’s perplexing and frustrating is that the survey points out that negligence is still the most common cause of data breaches, being the primary culprit in over 40% of successful breach events.

Why is this happening?  At first, I thought that perhaps the problem was likely an issue of perception: organizations have historically looked at information security as a necessary evil, and if the don’t have a data breach (at least, one that they know about…) then there’s not a problem.  Countless information security personnel have had their budget requests denied over the years, and have consequently fail to acquire technologies to address key threats.  But a closer look at the Ponemon survey belies this assumption: the fact is, organizations are becoming more — not less – proactive regarding monitoring for data breaches: they’re spending more money, buying more tools, and hiring more security personnel (either internally, or via outsourcing monitoring capabilities).

So what’s the problem, then?  Why is “negligence” still a major enabler of data breaches?  I think the answer has less to do with budgets or the knowledge/experience of security professionals, and much more to do with the technologies available: organizations rely heavily on signature-based point tools to assist in data breach detection, but… the simple fact is, signature-based approaches to threat detection are rapidly becoming a thing of the past.

To be clear, I’m not suggesting that security personnel should immediately pull IDS/IPS devices out of their networks, or uninstall anti-malware tools from their end points.  But the fact, threats are becoming more complex.  Simply looking at threats like Stuxnet (four zero-day attacks, coupled stolen security certificates from a trusted CA) or Wikileaks (where technical security controls weren’t even breached), and you’ll find two issues:

  • Complex, multi-vector attacks. Signature-based technologies are focused on one type of security data: IDS/IPS looks at network traffic, SIEM looks at events, CMDB’s look at asset configurations, FIM looks at files, and AV looks at the end point.  The problem is, of course, that complex attacks utilize all of these vectors (and more).  To detect a typical data breach, you’ll likely need visibility across many different types of security data: events, configurations, asset changes, Netflow and/or SPI/DPI, performance metrics, FIM, and other types of information.  Unfortunately, today’s signature-based solutions can’t detect these broad-based attacks: your IDS can’t tell you when a servers are PWNED, your AV can’t tell you when your ACL’s aren’t set correctly, and your SIEM can’t tell you when there’s a device talking on port 1433, but the payload isn’t SQL traffic.  Today’s tools can’t detect these patterns.
  • Abnormal insider behavior. What happens when someone is a privileged user in your environment, but betrays their trust?  Such is the fallout that the federal government is dealing with in the wake of Wikileaks.  When a user has the appropriate permissions to access confidential information, the ability to track their access and build a baseline of “normal” behavior is paramount: if a user goes from opening 100 confidential files or querying 100 database records in a day, to opening 250,000 files or queried records the next day, you may well have a problem of breached trust.  Again, today’s tools are focused on specific, policy-based or signature-based threat detection, and don’t have an ability to handle this type of variable threat.

So how do organizations get around these problems, and reduce the “negligence” cause of data breaches?  Well, one way is to build a better proverbial mousetrap: find and install the “one true security application” that does everything soup-to-nuts.  The problem, of course, is that such a solution doesn’t exist.

The other option — and one that we’ve been promoting at eIQnetworks for years – is a federated solution that collects data from all those incumbent, signature-based security products — IDS/IPS, AV, NAC, DLP, and others – and brings them together into a single platform, with complete cross-correlation to detect abnormal activity, including pattern recognition to detect Wikileaks-style breaches.  Fortunately, this type of product most definitely does exist… and you know where to find it!

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: