Making the Case for Rapid Detection and Response
October 4, 2011 9 Comments
In my post “You Need a Plan B for Security“, I cited two numbers from the Verizon Business 2011 Data Breach Investigations Report (published May 2011): 60 and 86. These two numbers jumped out at me from the report because they are subjective numbers that emphatically support the need for rapid detection and response to identify those attacks that get through preventative IT security software. The attacks that either evade perimeter and endpoint shields, or the attacks that the shields simply fail to detect.
“60” represents the percentage of attacks in the study that went undiscovered for a month or more. Three out of five attacks that got past the organization’s shields were free to do damage on the host machine and the network for an extended period. Free to establish command and control, spread to critical systems, and exfiltrate sensitive data and intellectual property. By the way, there is nothing to indicate that these attacks were super sophisticated zero days or the advanced persistent threat. The lack of rapid detection and response makes such sophistication unnecessary.
Organizations rest in the false security of security suite reports that show a steady increase in malware detection rates artificially inflated by the always-increasing number of attacks. Or they are willing to take a gamble that the number of attacks that do get through will be minimal. Ask Sony how many attacks it takes to cause an enormous amount of seemingly endless headaches and public relations hits. Better yet, ask their CEO who is under pressure to resign because of the incident.
“86” represents the percentage of reported attacks that were discovered by a third party. Conversely, this means the attacked organization found the problem only one out of eight times. If a third party had not brought the attack to their attention, it may have never been discovered. One could easily surmise that if left to the attacked organization to detect the problem, the 60% number above could have been much worse.
It is clear that organizations are not prepared to detect and respond to successful attacks. One out of eight is a horrible rate given the accelerating pace that attacks are getting through the shields. They most certainly are not prepared to detect these attacks rapidly before they can cause significant damage.
There is another component to consider. Detection of the attack by a third party means that the attacked organization’s dirty laundry is now public. At a minimum this erodes public and consumer trust and at its worse can negatively impact the organization’s brand and potentially affect valuation.
Budgets are tight, the economy staggering. Rather than spend more money on yet another shield that will get compromised, organizations may want to take the numbers 60 and 86 to heart and take a hard look at their rapid detection and response capability. Because by ignoring the need for rapid detection and response, organizations are enabling the adversary to establish a long term and highly destructive presence in their environments.
Attacks are getting through. You must have a way to effectively identify successful attacks and provide the actionable information to make an informed and rapid response.