To quantify the extent of reported data breaches, let me point out a couple of figures from Risk Based Security's report (as of September 2014):
- 1,922 Incidents were reported
- 904 million records were reported as exposed
- 1,428 of Reported Incidents were attributed to "Hacking"
- 84.8% of Records Exposed were attributed to "Hacking"
- 56 of Reported Incidents were attributed to "Fraud/Social Engineering"
- 11.5% of Records Exposed were attributed to "Fraud/Social Engineering"
- 1,573 Incidents were attributed to "Outside" actors
- 99.90% of the Total Records Exposed were electronic records
- >50% of Incidents exposed Passwords, Usernames, and/or Email addresses
- 13.1% of Incidents exposed Social Security Numbers
- 8.2% of Incidents exposed Medical information
- >6% of Incidents exposed Credit Card Numbers or Account Numbers
Those statements aren't intended to send anyone into a fear-based spending spree, but rather to set realistic expectations about the current threat environment. The days when an organization could reasonable depend on firewalls and anti-virus software to defend their network security perimeter are long gone. But it's only in the aftermath of the Target breach of 2013 that the reality of this situation has begun to be understood in board rooms and living rooms.
So, at a time of increased threats to the IT security environment, why is it that a surprising number of organizations can neither see cyber-attacks in real-time or combat them? And why is it that many organizations don't have a Security Operations Center (SOC)?
I believe it's because we are just beginning to act on that new understanding. We are just beginning to add the second leg of the security stool: detection. Detection tools have been improving over the last decade, but the many organizations have not perceived the threat as costly enough to justify the expense of those improving tools. And without detection, the third-leg (response/recovery) is a solution without a problem to solve.
The first step in Prevention is what everyone, at this point, already has - an Intrusion Detection/Prevention System (IDS/IPS). But with the advent of Advanced Persistent Threats (APTs) have come what are called tier-two Breach Detection Systems (BDS). The IDS/IPS is the first tier. And, just as has always been good practice, we are applying multiple layers of detection at various segments of the network. The more valuable the data, the more sophisticated our tools need to be. It's also important to be more vigilant when there is greater risk, for instance when critical or sensitive applications or infrastructure are being upgraded; and when the organization is acquiring/being acquired. These are the moments when malicious actors will be looking most closely for potential vulnerabilities.
Ironically, the poster-child for big breaches (Target) does have a SOC (according to an article in Bloomberg BusinessWeek (http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data)). And Target has a tier-two Breach Detection System (BDS) [a system from FireEye]. And the BDS alerted on the breach - on two separate occasions. And the alert was communicated to the SOC by their off-shore security analysts. But the SOC failed to take action.
That's the People part of People, Processes and Technologies (PPT). They all have to work in concert in order to keep an organization safe (or at least limit the damage) from malicious actors.