May 9, 2012 Leave a comment
I asked a question last week on Twitter that provoked some interesting discussion and even a slap on the hand. I thought my question was relatively simple and sensible:
Is it reasonable to wonder if the breaches we know about – the adversary was caught for lack of a better term – might we only be viewing a sample that represents the less well conceived and/or constructed attacks?
Seemed reasonable. I asked the question because I use the various breach reports for statistics, and they of course report on breaches that are discovered. Think back to the hide and seek of your childhood. In my experience, the worst hiders were very likely the first caught. I even mentioned the old Monty Python “How to Hide” sketch. So it seemed sensible to ask if the reports were skewed to the worst hiders of the attack population. Or to quote that great security analyst and philosopher Foghorn Leghorn: “that breach is about as sharp as a bowling ball”.
I try very far to stay away from fear, uncertainty and doubt (FUD), but my question pushed the FUD detector of Pete Lindstrom (@SpireSec), a security analyst and founder of Spire Security, past his tolerance point. Pete’s contention was that raising the question without supporting evidence was a form of FUD, because I was raising a level of uncertainty and perhaps fear. Point taken, but that does not stop my intellectual curiosity because I still believe there is a bit of Gordian Knot at play here. I raised the question because I really study the reports and use the presented statistics to support my points about Triumfant so I am not spreading FUD. Foghorn would likely say that I am “more mixed up than a feather in a whirlwind”. But the more I look at the statistics, the more I see unanswered questions that lie beyond the available evidence.
Which takes me back to the point of my original question: it is impossible to gauge the problem we collectively face in IT security because we do not know what we do not know. And what we do not know is the proportion between detected and undetected breaches. I raised a similar question in a blog post about malware detection rates tow years ago and noted that an undetected attack is still an attack, even if we can’t count it.
The breach counts in the collective reports actually rely on two things: detection and disclosure. The Verizon Business report is based on the Verizon caseload and cooperation from law enforcement agencies from several countries. How many breaches are detected that do not show up on the Verizon report or the others? How many breaches are not reported to the authorities? There are regulatory mandates that require an organization to disclose breaches that involve the loss of certain types of data, but what happens when those regulatory lines are not crossed? The Verizon Report is actually called the Data Breach Investigations Report.
I go back to what we don’t know. How many breaches go undiscovered? How many breaches are discovered and not disclosed? Are the detected and disclosed breaches representative of the broader population or are they representative of the less well written and less well executed breaches? Are the breaches in the report 99% of the breaches? 50%? The tip of the proverbial iceberg?
These questions have ramifications, particularly when we put them in the context of what evidence we do have. For example, if we discover that the discovered breaches are not exactly, as Foghorn would note, the sharpest knives in the drawer, what does it say about the ability of organizations to detect breaches when the average time from infiltration to detection is 173.5 days as reported by the Trustwave report?
I agree with Pete – we need evidence. Unfortunately, a reasonable conclusion that can be drawn from the collective evidence of these studies is that most organizations are not equipped to detect breaches. Which of course adds to the conundrum the evidence points to the fact that we will struggle to gather the proper evidence.
I don’t think the collective industry will answer these questions, because they are the uncomfortable detritus of years of placing so much emphasis on prevention. The “2011: Year of the Breach” declarations have been an uncomfortable public realization for the industry and for organizations. Even if we were better at detecting breaches, organizations will not self-disclose unless required to do so for a variety of valid reasons.
So, FUD accusations aside, I stand by my question. Of course, Foghorn would likely say that I “Got a mouth like a cannon. Always shooting it off”.