How much should independent security advice affect your security strategy and capital spending?

30 April 2016

Last week Richard Bass asked the question ‘How much do independent test results affect your security purchases?’ on IT Central Station. In my opinion, independent test results are a good starting point, but I would not rely entirely on them.

In this context, the question about independent security advice should be addressed as well. How much should independent security advice affect your security strategy and capital spending?

This week the Verizon 2016 Data Breach Investigations Report 2016 was published. Figure 8 on page 10 shows the evolution of two important indicators, the Time-to-Compromise (T2C) and the Time-to-Discover (T2D).

Figure 8: Verizon 2016 Data Breach Investigations Report

Figure 8: Verizon 2016 Data Breach Investigations Report. Picture Credits: Verizon 2016 Data Breach Investigations Report

In 2005 the percentage of attacks that took days or less (T2C days or less) for successful initial exploitation was at about 75%. Over the time the cyber criminals refined their methods. In 2015 about 98% of all attacks came to success within days or less.

In contrast the percentage of attacks that were detected within days or less (T2D days or less) goes up from about 15% in 2005 to about 25% in 2015 (blue regression line). This is a real fiasco, in particular if you consider that organizations massively invested in SIEM solutions over the past 10 years.

In January Gartner Group published the advice ‘Shift Cybersecurity Investment to Detection and Response‘. Is this advice meant seriously? With Figure 8 in mind? My answer is: I don’t think so.

We need a good mixture of prevention and detection/response to recover lost ground in the defense of cyber-attacks. Goal of prevention and detection is to increase the Time-to-Compromise (T2C up) and to dramatically decrease the Time-to-Detect (T2D down).

A cyber-attack usually happens in six phases:

Six Phases of a Cyber Attack

Six Phases of a Cyber Attack

A break-down of the overall goals ‘T2C up’ and ‘T2D down’ to the individual phases leads to the following questions:

Does the strategy or solution

  1. Increase the Time to Compromise?
  2. Diminish the attacker’s ability to become persistent?
  3. Diminish the attacker’s ability to install tools or use existing tools?
  4. Diminish the attacker’s ability to move laterally in the network?
  5. Reduce the Time to Detect?

Back to the initial question. How much should independent security advice affect our security strategy and capital spending?

Independent security advice is a good starting point, but we should ask some key questions to evaluate whether a strategy or solution really makes a difference.

Have a good weekend.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s