Skip to content

Hindsight is a wonderful thing!

March 27, 2012

The 2012 edition of the Verizon Data Breach Investigations Report was published last week and makes interesting reading for anyone working in or associated with information security.  A couple of statistics stand out: 97% of breaches in 2011 were avoidable through implementing relatively simply security controls, although the report caveats this with claims that 85% of breaches took weeks or more to discover.

Looking at avoidable breaches first, the reports authors feel it is necessary to add the caveat “in hindsight”… surely everything is avoidable if you have time to reflect on it and understand what went wrong, isn’t it? I’m also not sure that I agree with the statement.  We’re increasingly hearing that information security has moved on from stopping a network breach from occurring and on to preventing significant damage from being done. Which takes us to the second issue – the time taken to discover breaches.

My gut-check instinct tells me that 85% is perhaps a little on the low side.  And, herein, lies the major challenge for information security professionals.  If it is almost inevitable that, if somebody wants to breach a network perimeter, they can – as was demonstrated by a number of hacker groups in 2011 – then most large organizations are unable to protect data within their environment.  By the time most have realized they have been breached, the data has been accessed, and often removed from the network. Given that the days of signature-based attacks are all but over, the chances of learning anything of value from an autopsy on one attack is minimal.

The 2012 Verizon Data Breach Report is further verification that the only way to protect sensitive data within a large distributed environment is to have the ability to spot an attack while it is in progress – not weeks after it has taken place.  This requires the ability to collect and correlate data from many types of devices, in real-time, and provide security analysts with a real-time view of what’s taking place in a network.  It’s further reinforcement that SIEM, as we know it, is dead – and that information security now depends on situationally aware security professionals.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: