30 April 2016
Last week Richard Bass asked the question ‘How much do independent test results affect your security purchases?’ on IT Central Station. In my opinion, independent test results are a good starting point, but I would not rely entirely on them.
In this context, the question about independent security advice should be addressed as well. How much should independent security advice affect your security strategy and capital spending?
This week the Verizon 2016 Data Breach Investigations Report 2016 was published. Figure 8 on page 10 shows the evolution of two important indicators, the Time-to-Compromise (T2C) and the Time-to-Discover (T2D).
In 2005 the percentage of attacks that took days or less (T2C days or less) for successful initial exploitation was at about 75%. Over the time the cyber criminals refined their methods. In 2015 about 98% of all attacks came to success within days or less.
In contrast the percentage of attacks that were detected within days or less (T2D days or less) goes up from about 15% in 2005 to about 25% in 2015 (blue regression line). This is a real fiasco, in particular if you consider that organizations massively invested in SIEM solutions over the past 10 years.
In January Gartner Group published the advice ‘Shift Cybersecurity Investment to Detection and Response‘. Is this advice meant seriously? With Figure 8 in mind? My answer is: I don’t think so.
We need a good mixture of prevention and detection/response to recover lost ground in the defense of cyber-attacks. Goal of prevention and detection is to increase the Time-to-Compromise (T2C up) and to dramatically decrease the Time-to-Detect (T2D down).
A cyber-attack usually happens in six phases:
A break-down of the overall goals ‘T2C up’ and ‘T2D down’ to the individual phases leads to the following questions:
Does the strategy or solution
- Increase the Time to Compromise?
- Diminish the attacker’s ability to become persistent?
- Diminish the attacker’s ability to install tools or use existing tools?
- Diminish the attacker’s ability to move laterally in the network?
- Reduce the Time to Detect?
Back to the initial question. How much should independent security advice affect our security strategy and capital spending?
Independent security advice is a good starting point, but we should ask some key questions to evaluate whether a strategy or solution really makes a difference.
Have a good weekend.