Forecasting a Breach Is Like Finding a Needle in a Haystack — Not That Tough
2015 Breach Statistics
This year has seen plenty of breaches, and it’s not even over yet. Numerous reports show that the number of breaches in 2015 has rivaled 2014, but not many of them are making the evening news — other than the recent hack of Ashley Madison — because breaches are sadly becoming commonplace.
According to Experian’s “Data Breach Industry Forecast,” breaches will likely continue to focus on payment systems, but the accelerated adoption of chip-and-PIN technology is thwarting the traditional exploits for collecting and monetizing credit card data. As a result, Experian suggested thieves will look elsewhere for fertile ground — the cloud, health care information and the Internet of Things (IoT).
The Identity Theft Resource Center reported that as of Sept. 1, 533 breaches have occurred in 2015 and that over 140 million records have been exposed across business, educational, government and health care sectors. That represents about 44 percent of the population of the U.S. — and it means that if you have a credit card, Social Security number or password, your information has probably been compromised in one or more of the breaches.
IBM and the Ponemon Institute released a study reporting the cost of a breach to enterprises is up in 2015. The total cost increased 23 percent over the past two years to just under $4 million.
The Liability of a Breach
Although the average cost of a breach may be around $4 million, the little-known secret is that the actual liability organizations agree to provide when protecting data in the cloud is much higher. In other words, organizations that host or store customer information are going to be held liable in the event of a data breach, and the associated costs are potentially more severe.
Customers may ask that the liability an organization is willing to cover exceeds $100 million, which is catching the eye of the top-level executives and their boards. It’s a huge financial risk to any organization, and I am certain it begins to raise questions about the benefit of storing customer data, approaches to protecting that data and the methods of mitigating the risk of a breach of the data.
Are you willing to say that your infrastructure and processes around your security are so refined that you will compensate your customers up to $100 million in the event that their data is compromised by a breach?
We have now disclosed the average cost of breach in 2015 and provided a peek at the level of liability that organizations may be asked to provide. But how realistic is this in today’s security environment? Specifically, how likely is it that a weak point is found and exploited?
Each organization is different, but if you are an enterprise storing data worth stealing (and you know who you are), you can expect to see exploit attempts to the tune of approximately 1 million attempts per hour. That’s a lot of villains at the gate, and it only takes one to get through before the rest quickly follow.
Or course, most — if not all — of those attempts are automated. Infected hosts on the Internet are constantly scanning the Web, testing ports, attempting logins, trying different passwords, changing their patterns, incorporating the latest exploits and achieving goals very efficiently and from a centralized command-and-control infrastructure that is both difficult to find and more difficult to dismantle.
Furthermore, how do you know if cybercriminals are just testing the front door or if they are actually exploiting a vulnerability? That is the proverbial needle-in-a-haystack question.
Looking for a Needle in a Haystack? No Problem
How do you find a needle in a haystack? It is really not that difficult. I would use 1,000 people with hand magnets or one of those massive magnets you see used to pick up cars in junk lots. You could also use an X-ray, MRI or CAT scan.
Sound a little unconventional? Yes, I know, but get used to it! We need to think outside the box and outside the haystack.
Technology provides the villains an advantage to find and exploit vulnerabilities very efficiently, but we have the advantage that we can use the same and even newer technology to find the needles and remove them prior to any exploitation. However, it requires us to work collectively and intelligently.
Correlation Across Data and Organizations
I indicated that one approach to finding the needle is to give magnets to 1,000 people. Let’s extend that concept. Let’s give magnets, X-rays and CAT scan and MRI equipment to 1,000 people and then correlate all the data to find the needle. Aside from some of the scalability and expense issues of this approach, we all agree that finding the needle using an approach like this actually becomes quite easy.
So how do we take this concept and move it into the space of vulnerabilities, risk management and breach containment? That, too, is easy.
Earlier this year, IBM announced that it is opening up its threat intelligence vaults to combat cyberattacks. The X-Force Exchange is designed for companies to work together against cyberattacks by sharing information. Through this social platform, we work as one. It’s us against them through sharing information and insights, working collectively and efficiently, leveraging the intelligence of others and staying ahead of the villains at the gate.
The Silver Lining of Noise: Correlation
X-Force Exchange addresses the ability to work together, but how do we know what information can tell us if there is a breach or potential breach? The answer is through correlation. The massive volume of attempts to breach our fortress of data protection actually has a silver lining.
We know that if there is a potential weakness in our systems, cybercriminals will attempt to exploit it. Using a collection of information from our SIEM systems, logs, forensics investigations, vulnerability scanning and network topology, we can correlate information to help us see not only if there is a vulnerability, but also if there is traffic on our network that is attempting to exploit other weaknesses.
The villains provide us with the stimulus that we can easily and automatically monitor and use against them. Combining their activities with the other information from your security intelligence system provides automated and comprehensive insight into the true risk of a breach on your network, whether it is on-premises or in the cloud.
Forecasting a Breach
Forecasting a breach follows a corollary to a quote from Willie Sutton, the prolific American bank robber. When he was asked why he robbed banks, he said, “Because that’s where the money is.” So by extension, if we want to know where the villains are, we can answer that it’s where the potential vulnerabilities exist.
If traffic on a port, network segment, server or application is unusual or is correlating to another change to your assets or network configuration, it should go right to the top of your action items for immediate investigation. If traffic to or from an application has historically been blocked, such as a music service, website or social network, but is now available, that should be an indication that you should investigate that change — and quickly. To make it easier, if your peers tell you about their discoveries and observations in changes in malicious traffic, that can even give you an advantage prior to any notable changes in your particular network.
All of this comes down to security intelligence: correlating a lot of information automatically, sharing that information and working together with your peers.
It makes needles much easier to find.