May 2, 2012 1 Comment
I just read the Symantec 2011 Internet Security Threat Report from cover to cover, which is a great report with a lot of great information. But I have the same problem with this report as I do with the ones from Verizon Business, IBM X-Force, Trustwave, and Mandiant (also all great reports with great information) and several of the writers and general industry pundits. In their report, Symantec calls 2011 “The Year of the Breach” which is consistent with the other reports and other discussions in the broader market.
I am sorry, but I just hate that term. Hate it. The fact that the industry, in many case begrudgingly, has had to publicly acknowledge that shields are being evaded and organizations are getting breached does not make 2011 a milestone for breaches. Companies were getting breached in 2010 and prior, and will be breached in 2012 and beyond. Breaches are not a 2011 thing, or some annual phase we entered, watched peak, and ultimately ebb away
I will agree that 2011 is the year that the IT Security Industry came to terms with the fact that vendors that sold preventative software could no longer conveniently ignore that organizations were being breached. Many of the statistics that have been a consistent theme of reports like the Verizon Business 2012 Data Breach Investigation Report seem to have suddenly found resonance. Statistics such as the 173.5 days on average from breach to detection reported in the Trustwave 2012 Global Security Report became impossible to ignore.
Therefore, calling 2011 “The Year of the Breach” seems disingenuous to me. In fairness, calling 2011
“The Year We Stated the Obvious” or
“The Year We Got Our Heads Out of Our Collective… (filters engaging) the Sand” or
“The Year Vendors Realized They Could No Longer Sell Just Shields”
is clearly not as catchy.
For the record, this is not a criticism of the reports or the people that produce them. These reports are hugely informative and I respect the efforts of those who produce them. As I noted previously, the relentless presentation of the statistics in those reports was at least partially responsible for changing the predominant messaging in the market. The hype could no longer shout down the reality presented by the numbers. Notice I said messaging, because I think most pragmatic, right-thinking folks in IT security already knew about the breach situation.
Don’t get me wrong; I am happy that the market has decided to recognize that organizations are being breached. I work for the company that I think offers the best and most innovative solution for detecting breaches at the point of infiltration. And with one child about to leave for college, I am all about contributions to the Ivers Foundation.
Which leads me to another comment about these reports. The reports – rightfully so – talk about detected breaches. The reports indicate that a high percentage (>90%) of breaches are discovered by someone outside of the organization, indicating that organizations are not equipped to detect breaches. One could make the case that the breaches that get detected do not represent the best and brightest because they were detected. Without dissolving into hype or FUD, what percentage of breaches do we really detect? All? Half? 10%? It is a question worth asking, and as organizations begin to put breach detection capability in place, the resulting statistics will be interesting.
By the way – anyone want to place bets that 2012 will be “The Year of the Targeted Attack”?