Jeff Williams at Contrast Security recently spoke to Forbes about the lack of concrete data regarding breaches and hacks. In order to help sort out the reality vs the hype, Jeff proposes a standardized scorecard to help collect and compare data on various public breaches.
Howard Solomon published a great article that touches on Jeff’s proposal and some of the issues around informing users of a data breach. Jeff’s proposal is good and Howard’s comments are on point. Thankfully lot of these issues are going to be hashed out as part of the data breach reporting discussion currently going on here in Canada.
But while it’s fundamentally sound, Jeff’s proposal isn’t without it’s challenges. The foremost among those is that most organizations simply cannot answer the basic questions proposed in the scorecard, at least not in the short term after a breach.
Catch 22
Defenders are getting better at protecting their corporate networks. Mandiant recently reported that the time to detection for most attacks has dropped to 146 days (Mandiant M-Trend 2016, pg. 4). Yes, dropped to 146 days. Believe it or not, that’s the first substantial improvement in a long time.
The down side is that despite spending billions on security, most large organizations still take four months to find out that they’ve been hacked. That’s how lopsided things are between attackers and defenders.
Once an attack is detected, the defender’s start to work through these phases; identify, contain, eradicate, recovery, review, which leads back into the perpetual “prepare” phase. Each of these phases takes time and resources and given the frequency of attacks and security issues, it’s extremely rare that a team has the time required to fully investigate a hack.
More often than not, defenders have to get out the duct tape, fix the immediate issues, and move on to try and put out the next fire. That means they rarely get to fully understand what an attacker was doing on their network for the past four months.
Tying this back to the scorecard idea, after the initial estimation of the impact of an attack it’s unlikely that a team can complete the full scorecard or any in-depth breach notification requirements.
Surface impact
Howard’s article touches on the important points for end users like when an organization should let us know that our data has been breached, what precautions we should take, etc. This is the crux of the data breach discussion that Industry Canada is co-ordinating.
While these are key issues that need to be discussed and worked through, there’s a more significant problem lurking in the background. In the Forbes article, Jeff touches on it. “We never find out anything that would enable people to make informed decisions about whether their data is safe enough.”
Shot in the dark
As a defender, you’re called on to make important decisions everyday. When designing a defence, you build based on the value of the organization’s data. Once you understand the value and sensitivities of the data, you can start to determine which security controls would be appropriate.
Part of that determination is a cost/benefit analysis. How much are the security measures to protect the data going to cost vs. the actual value of the data? Step one is to figure out the annualized loss expectancy or ALE. This is how much we can expect to lose in a given year if something happens to this asset.
The ALE is a simple calculation. It’s the annual rate of occurrence (ARO) times the single loss expectancy (SLE). Simply put; how often a breach is likely to happen multiplied by the cost of each breach.
Assume that we have personally identifiable information (PII) about our 10,000 customers. If this data was exposed it would cost us approx. $25/customer to buy identity theft protection for three months. This gives use a SLE of $250,000.
Let’s be optimistic and assume that we’ll only get attacked once every two years. This gives us an ARO of 0.5. Combined together, we get an ALE of $125,000 (SLE $250,000 * ARO 0.5).
Those customer records are quite valuable to our organization and based on the ALE, we could spend up to $125,000 a year protecting them. Anything more and we’re better off to handle the loss after a breach.
Data not found
Did you notice the words I used while describing this equation? Words like assume, approximately, likely etc. aren’t words to use when you’re trying to make a quantitative decision.
But the dirty secret of most security teams is that a lot of their decisions are based on guesses. Educated guesses (hopefully). But guesses nonetheless.
This is where a lack of data about breaches and hacks hurts all of us. We wouldn’t be so focused on data breach notification if we could do a better job stopping the data breaches in the first place! In order to do that we need data to help us make better decisions.
Without a solid base of quantitative metrics, decisions are made based on threat visibility (think hype) and team instinct/training. This is why it’s critical that you invest heavily in your security team and not just security tools.
Next steps
There are several initiatives underway to help address this situation: The aforementioned data breach notification discussion, the founding of the Canadian Cyber Threat Exchange, a resurgence of the CCIRC, an ongoing review of the Government of Canada Cybersecurity Strategy, and a shift in the attitude of defenders in general. These are all fantastic developments.
But we’re still a long ways away from having a reliable source of data to help properly evaluate the risks organizations are facing.
Until we reach that point, defenders have to evaluate the potential impact of a vulnerability (which we do have a system for), how it impacts their data, and then take a reasonable guess at the likelihood of it being used against their organization (usually assumed to be 100 per cent).
This is one of the biggest challenges defenders have when it comes to achieving status internally. Other departments use data and metrics to make decisions and while security might have the appearance of following suit, we’re really still taking a shot in the dark.
Security is a culture that needs to be woven into the fabric of your organization. It’s hard to create that culture when we can’t backup basic decisions with concrete data. Until we can, focus on creating strong relationships with other teams in the organization and making reasonable and proportional guesses about the risks facing your data.
What are you thoughts on the lack of data about data breaches? How do you make decisions about security in your organizations without that data? What are you doing that others can adopt to help them make better decisions?
Please leave a comment below, or let me know on Twitter where I’m @marknca.