In the wake of the Equifax breach, I have found myself on an increasing number of calls with reporters and business leaders from various industries. Invariably, the questions asked all boil down to one overarching interrogative: "How do we avoid becoming the next breach victim?" After I attempt to calm nerves and reiterate that there are no silver bullets out there, my answers tend to center around three fundamental areas that I offer up to you for criticism or comment. Here goes...
1. Be Harder Than The Other Guy. Folks often ask me whether or not they should put the alarm sign in front of their house when they buy an alarm service. My answer to them is "yes, absolutely!" Most burglaries and break-ins are by amateurs looking for easy targets and/or targets of opportunity. While the alarm sign will alert the 1% who are specifically aiming to break into your house to cut the phone lines, it will also steer the remaining 99% to your neighbor's house if your neighbor doesn't have an alarm sign posted. No alarm equals an easier target, so becoming a harder target than your neighbor is an attack deterrent.
The same principle applies in cyberspace. If your protections and controls are perceived to be more durable and more resilient than your competition, it stands to reason that the bad guys will attempt to acquire data from the weaker target instead of attempting to breach the harder target. We can see this occurring in a strategic fashion if we step back and observe the class of businesses that hackers are attacking; instead of focusing predominantly on financial institutions and payment processors, we have seen concerted efforts against merchants, small businesses, contact centers, and other potential 3rd party "aggregation points" for data. Even within certain classes of targets, there is value in informing your adversary -- in general (but not opaque) terms -- of the strength of your protections in order to discourage attack. (Note: Those of you reading this post who have some military experience will recognize this approach from your unconventional warfare training; if you think about it for a bit, you'll see that the same principles apply when facing off against the hacker community :o) )
2. Be Best-In-Class At Incident Response. If you accept the premise that even the most prepared defenses will be breached -- and they will, believe me :) -- then the ability to identify, contain, and eradicate the threat as early as possible becomes critical. There are statistics out there which state that the average time between infection by a sophisticated attacker and its detection in the network can be measured in months if not years. Investing in the technologies and the personnel needed to shrink this window is a critical step in breach avoidance.
It should also be noted that investing in personnel does not just mean headcount; more importantly, it means training and education to improve general security knowledge; an understanding of the threat; and critical thinking skills. This training needs to go beyond just those within the security team but to all members of the extended incident response team.
3. Add Threat Intelligence To The Mix. The importance of understanding one's adversary has (finally!) come into the forefront of the security discussion. Still, I wonder how many people understand the difference between threat information and threat intelligence. True threat intelligence, in order to be useful to the enterprise, requires an understanding of what knowledge is of paramount use (priority intelligence requirements); what the best sources are for obtaining that knowledge (collection management); and what actions need to be taken based upon the information obtained (risk management planning). In the absence of these key components, threat information becomes yet one more fire hose from which the the security team must drink from whilst attempting not to drown.
* * * * *
While these answers may provide small comfort to organizations looking for quick-fix solutions, they represent the basic building blocks for moving toward a risk-based security program. Consider using these concepts when discussing security needs with your business leaders.
My two cents...