Consumers of information security technology and services have been inundated with talk of the value of being cognizant of threats, vulnerabilities, and risks for more than two decades as they labor to ensure that their assets – tangible and intangible – are protected and secured in an increasingly threat laden world.
And though consumers of information security technology and services have been flooded with messages delivered by their own employees and trusted third party vendors (e.g. VARs, consultancies, technology and service providers, etc.), the struggle continues. The folks working within enterprise information security organizations and their trusted third parties alike know what needs to happen; they’ve heard the message for years and seen time and time again what can and will occur if security is not taken seriously and encouraged to become an integral element of how their respective organizations conduct business. Yet compromises, breaches still occur at an alarming rate, as seen in the 2017 Verizon DBIR.
According to the report, there were 42,068 incidents observed across 21 industry verticals resulting in the 1,935 breaches that comprise their study (“incident” is defined as any security event that compromises the integrity, confidentiality, or availability of an information asset and “breach” is defined as an incident that results in the confirmed disclosure of data to an unauthorized party). By way of comparison, in the 2016 DBIR, Verizon reported that there were 64,199 incidents observed across those same 21 industry verticals resulting in 2,260 breaches.
Some interesting points related to these breaches observed and captured within the 2017 effort include the following:
- 75% of breaches were committed by outsiders, while 25% of breaches involved internal actors
- 18% of breaches were conducted by state-affiliated actors (e.g. proxies and/or nation states), while 51% involved organized criminal groups
- 24% of breaches had a material impact on financial organizations
- 15% of breaches involved healthcare organizations
- 15% of breaches involved the retail and accommodation industries
- 12% of breaches involved public sector organizations
- 73% of breaches were financially motivated
- 21% of breaches were the result of espionage related activity
- 3% of breaches included multiple parties
- 2% of breaches involved partners
Additionally, it should be noted that in terms of tactics, more of the same was observed in the 2017 effort:
- 66% of breaches featured “hacking” as a primary tactic (81% of all of the breaches which featured “hacking” of some sort involved the use of stolen credentials or weak passwords) utilized by threat actors
- Over half (51%) of the breaches involved or included malware, with a primary delivery vehicle occurring through e-mail (according to the authors of the DBIR, 66% of all the malware associated with the breaches was introduced and installed via malicious e-mail attachments!)
- 43% of all the attacks observed and recorded (both incidents and breaches) were driven by social engineering
- 14% of the breaches involved errors and/or privilege misuse
- 8% of the breaches involved some form of physical action
What does this tell us? To begin with, it tells me that there is still a fundamental misunderstanding of the importance of ensuring that security is a non-negotiable aspect of conducting business regardless of what that business is. Additionally, it tells me that either the conversations related to security being a business enabler as opposed to a cost center, a burden, or a perceived inhibitor of business are either not happening, happening but not resulting in the desired outcome, or not being given their due by the stakeholders tasked with being responsible for the business and its constituents, shareholders, partners, and customers. Furthermore, it tells me that there are either deficiencies, weaknesses, and/or flaws present in the defenses being employed by these organizations and to a lesser extent, their errors (see above) associate with their deployment, configuration, and management.
So, what can organizations and we, as members of the information security industry, do to help address these issues and change the dialogue occurring regarding the importance of security? We can begin by reiterating why being cognizant of threats, vulnerabilities and the vectors of exploitation related to them, and risks introduced to organizations and individuals alike by the successful exploitation of said vulnerabilities is noteworthy. This should not be difficult in 2017.
Beyond the conversation surrounding the importance of these concepts to an organization’s ability to conduct its business (whatever that may be), we need to discuss the realities facing these organizations as they pertain to data protection and advanced threats, namely those resulting in the loss of data due to the actions of malicious insiders and outsiders. We, as an industry, need to move toward a mindset anchored in the concept of being threat aware. Our discipline, our tradecraft, and our technology must be able to incorporate those elements of data protection and advanced threat protection capabilities necessary to prevent accidental misuse or intentional abuse which would result in theft, exfiltration, and loss of data. Data which could and often does have a material impact on how organizations do business.
Getting There: Achieving Threat Awareness
As Winston S. Churchill once said, “It is not enough that we do our best; sometimes we must do what is required.” Doing what is required isn’t always easy, pretty, or pleasant. Yet, it is the right thing to do in order to ensure that the organizations that entrust their security to their internal employees or the many trusted third parties with whom they work not only feel they are secure but believe they are secure by virtue of demonstrable artifacts. In order to do what is required with the goal being the achievement of a state of threat awareness, the following steps need to be taken.
- Leverage current investments in security technology to maximize the organization’s capabilities to obtain enterprise visibility into:
- Network telemetry (router, switch, firewall, IDS/IPS, forensics collection, etc.)
- System telemetry (OS-specific data, connection information, etc.)
- User information (behavioral patterns, rights, privileges, etc.)
- Data intelligence (classification, location within the network, telemetry related to access – downloads, copies, uploads, moves, deletes, etc.)
- Threat Intelligence (open source, closed source, commercial, etc.)
- Threats (malware, exploits, exploit kits, vulnerabilities, etc.)
- Threat actors (miscreants, anarchists, hacktivists, cybercriminals, nation state proxies, and nation states)
- Engage in threat intelligence sharing within environments and communities founded, built, and operated with the security of the intelligence being shared and people sharing it in mind
- Invest in attracting and retaining experienced, competent security analysts
- Invest in attracting and retaining teachable, inexperienced security analysts
- Invest in some form of integration and analytics platform designed for the express purpose of synthesizing disparate data sets and intelligence sources
- Practice good IT hygiene (patch management, etc.)
- Practice good operational security
- Preach and practice diligence and attention to detail
- Promote security awareness education and training
- Have the hard conversations with executive leadership and stakeholders
- Practice ad infinitum
It is only through the realization that an individual or organization is not threat aware and the initiation of the steps by the individual or organization to become so that threat awareness will be achieved.