"Threat awareness is paramount to delivering on the promise of data protection – here's why and where to start." - Will Gragido
Consumers of information security technology and services have been inundated with talk of the value of being cognizant of threats, vulnerabilities, and risks for more than two decades as they labor to ensure that their assets – tangible and intangible – are protected and secured in an increasingly threat-laden world.
And though consumers of information security technology and services have been flooded with messages delivered by their own employees and trusted third party vendors (e.g. VARs, consultancies, technology and service providers, etc.), the struggle continues. The folks working within enterprise information security organizations and their trusted third parties alike know what needs to happen; they’ve heard the message for years and seen time and time again what can and will occur if security is not taken seriously and encouraged to become an integral element of how their respective organizations conduct business. Yet compromises, breaches still occur at an alarming rate, as seen in the 2017 Verizon DBIR.
According to the report, there were 42,068 incidents* observed across 21 industry verticals resulting in the 1,935 breaches that comprise their study. By way of comparison, in the 2016 DBIR, Verizon reported that there were 64,199 incidents observed across those same 21 industry verticals resulting in 2,260 breaches.
Some interesting points related to these breaches observed and captured within the 2017 effort include the following:
Additionally, it should be noted that in terms of tactics, more of the same was observed in the 2017 effort:
What's it mean?
What does this tell us? To begin with, it tells me that there is still a fundamental misunderstanding of the importance of ensuring that security is a non-negotiable aspect of conducting business regardless of what that business is. Additionally, it tells me that either the conversations related to security being a business enabler as opposed to a cost center, a burden, or a perceived inhibitor of business are either not happening, happening but not resulting in the desired outcome, or not being given their due by the stakeholders tasked with being responsible for the business and its constituents, shareholders, partners, and customers. Furthermore, it tells me that there are either deficiencies, weaknesses, and/or flaws present in the defenses being employed by these organizations and to a lesser extent, their errors (see above) associate with their deployment, configuration, and management.
So, what can organizations and we, as members of the information security industry, do to help address these issues and change the dialogue occurring regarding the importance of security? We can begin by reiterating why being cognizant of threats, vulnerabilities and the vectors of exploitation related to them, and risks introduced to organizations and individuals alike by the successful exploitation of said vulnerabilities is noteworthy. This should not be difficult in 2017.
Beyond the conversation surrounding the importance of these concepts to an organization’s ability to conduct its business (whatever that may be), we need to discuss the realities facing these organizations as they pertain to data protection and advanced threats, namely those resulting in the loss of data due to the actions of malicious insiders and outsiders. We, as an industry, need to move toward a mindset anchored in the concept of being threat aware. Our discipline, our tradecraft, and our technology must be able to incorporate those elements of data protection and advanced threat protection capabilities necessary to prevent accidental misuse or intentional abuse which would result in theft, exfiltration, and loss of data. Data which could and often does have a material impact on how organizations do business.
ACHIEVING THREAT AWARENESS
As Winston S. Churchill once said, “It is not enough that we do our best; sometimes we must do what is required.” Doing what is required isn’t always easy, pretty, or pleasant. Yet, it is the right thing to do in order to ensure that the organizations that entrust their security to their internal employees or the many trusted third parties with whom they work not only feel they are secure but believe they are secure by virtue of demonstrable artifacts. In order to achieve a state of threat awareness, take the following steps:
*(“incident” is defined as any security event that compromises the integrity, confidentiality, or availability of an information asset and “breach” is defined as an incident that results in the confirmed disclosure of data to an unauthorized party)