This blog was written by Barbara Kay.
In our Security Connected discussions, security leaders routinely ask “Where do I invest for results? How do I communicate the risk reduction impact of security investments to the Board?” Now there’s practical assistance on which controls count and why: guidance based on attack data and implementation best practices developed in a vendor-neutral process. How often can we say that?
The 2014 edition of the Verizon Data Breach Investigations Report (DBIR) introduces an attack pattern construct, with 9 patterns representing more than 90% of attacks over the last 10 years. That’s a decade chronicling the demise of single-vector (antivirus only and firewall only) defense strategies because of the advent of advanced, targeted, and multi-vector (or blended) threats and professional cybercriminals.
In addition to explaining the types and attributes of these dominant incident patterns, the report also maps the patterns to industries, as well as the Top 20 Critical Security Controls (CSCs) for Effective Cyber Defense developed over the last few years by the SANS Institute and others and now shepherded by the Council on Cybersecurity. Each attack pattern chapter of the report provides detailed CSC recommendations. However, the summary (Figure 69 below) is buried on page 49, where you might easily miss it. Let’s take a look at what this data illuminated.
Adopt a modern defense in depth.
What’s exciting to us about this new reporting approach is that you can see the trending and business relevance of specific attack patterns and recommendations for reinforcing controls to counter modern attacks. Defense in depth is no longer about multiple AV engines. It’s about countermeasures designed to work together and be managed together, to share intelligence continuously, to create a complete and accurate system for adaptive threat protection.
Fun fact: 71% of successful 2013 breaches came from less than 8% of the incidents. Not quite the pure 80/20 Pareto principle, but close. This stat proves what most of us expect: the most serious indicators of a breach lurk in a deafening volume of incident noise.
For those tired of hearing about the retail sector and point-of-sale (POS) intrusions, it’s refreshing to see here that two other attacks dominated in 2013: Web App Attacks and Cyber Espionage.
- Web app attacks made up 6% of incidents, and 35% of successful breaches.
- Cyber espionage represented just 1% of incidents, but 22% of breaches.
- POS intrusions were less than 1% of incidents and made up 14% of breaches.
McAfee contributed to the DBIR by providing some detailed cyber espionage attack information, taken from McAfee Labs’ 2013 threat report Operation Troy.
De-clutter your data set.
Taking a look at the controls they recommend, it’s clear that specific investments would cut down the bulk of the incident traffic:
- Miscellaneous errors: Deploy data loss prevention (DLP)
- Crimeware: Deploy 3 of the first 5 of the CSCs
- Insider misuse: Focus on privileges, identity management, audit, and DLP (again)
Block the biggest breach categories.
With less noise interfering with your incident response efforts, it should be easier to deal with breach-inducing attacks. The Top 20 Controls—sometimes the same ones—also help here.
- Web app attacks: Deploy standardized configurations, secure software development, and boundary defense.
- Cyber espionage: Deploy several of the Top 5 controls (those that helped with crimeware), plus skills development and network-based defenses.
- POS intrusions: Deploy anti-malware, access and administrative controls, and boundary defenses.
Put your money where your risk is.
For those unfamiliar with the Top 20 CSCs, in general the number matches the priority for deployment. The first 5 controls are considered the most fundamental, and then you add on until you cover your assets with the full Top 20. With the DBIR’s mapping of attack patterns to controls, you can now also prioritize based on the relevance of the controls to your specific industry and risks.
This approach shows how each control can help with multiple attack patterns and risks, increasing the leverage of each up-front or operational investment and helping to justify your security recommendations to the Board and other stakeholders.
The math makes sense. By implementing controls for the top three noise-generators and the top 3 successful breach patterns, you have reduced your exposed attack surface. At the aggregate level, these controls address 63% of the incidents, plus 71% of the breaches. The two remaining attack patterns, DoS and physical theft/loss, might need attention based on your business type and physical infrastructure.
Think architecture, not Band-Aid.
The controls matrix also clearly portrays the value of an architectural approach to security, rather than point controls for point problems. Take another look at figure 69. If you consider that the DLP controls for “miscellaneous errors” require both server scanning and network monitoring processes, no incident or breach category would be countered by a single, standalone control process.
That multi-control necessity sets up the next discussion for CIOs and security leaders: integrating management and intelligence across controls for actionable visibility and operational efficiency. But that’s another Security Connected blog to come.