Escaping Data-Breach Groundhog Day

Countless companies globally are trapped in data breach Groundhog Day, unable to escape a repeating cycle of cyber attacks.

In the 2018 Thales Data Threat Report, produced by 451 Research, the key theme is that while spending in IT Security is increasing, breaches are increasing at a faster pace and becoming more costly. As in past years, the 451 Group report indicates that companies cyber budgets are being spent in areas that have been identified as least effective in securing data.

“Clearly, doing what we have been doing for decades is no longer working. The more relevant question on the minds of IT and business leaders, then, is more direct: “What will it take to stop the breaches?”

Garrett Becker 451 Research.

Breaches are not only becoming increasingly costly as a result of primary loss, but secondary risk is escalating as regulators begin to enforce tough new global cybersecurity regulations and penalties are levied for non-compliance and lax cybersecurity. In addition, shareholder and customer class-action law suits against corporations for negligence are becoming commonplace.

What’s causing Data Breach Groundhog Day?

If companies are spending more money in the wrong places and breaches are accelerating (up 40% YoY globally 451 Research) as attacks become more frequent and sophisticated, what is the root cause of the problem and why is it so hard to break the cycle?

This is not a simple question and there are more than a few answers.

  1. Let’s start with what’s changed from the good old days of perimeter defense. The enterprise perimeter now extends to an employee’s personal phone and laptop, a contractor offshore on a dodgy PC, Big Data being collected by the Petabyte stored in the cloud and tens of millions of IoT devices sitting naked on the Internet, save for a default password. The enterprise perimeter has dissolved and we need to protect data and users everywhere.
  2. Companies are spending money in the wrong places because they cannot effectively assess the efficacy of cyber investments in reducing risk.

    “If we spend another $500K on NGF Firewalls, by how much will we reduce our Annualized Loss Exposure (ALE)? What if that same $500K was spent to implement Multi-Factor Authentication everywhere, by how much could we reduce ALE?”

  3. Threats are escalating with the increasing sophistication of the threat community. When nation state threat actors like APT29 are in the ninth decile of sophistication and the average victim company is in the second or third decile of sophistication, there is cause for alarm and urgent action by both governments and business leaders and technology vendors to urgently address this asymmetry.
  4. Cyber-criminals are finding ransomware to be more lucrative than the traditional sale of identities and credit card numbers on the dark web. SMB’s in particular are feeling the pain. According to Ponemon in their Sept. 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report, whereas last year only two percent of respondents described the cyber attacks they experienced as ransomware. This year, 52 percent of respondents say their companies experienced a ransomware attack and 53 percent of these respondents say they had more than two ransomware incidents in the past 12 months.
  5. What about encryption of data at rest and in transit? Appears like a simple enough notion, but perceptions of the degree of difficulty to implement encryption are exposing data, sitting naked in cloud storage buckets or behind easily bypassed firewalls and antivirus mechanisms.
  6. The human factor — people doing dumb things is the top cause of malware and ransomware infections, with phishing and social engineering increasing in sophistication. Weak passwords and poor cyber hygiene exacerbate the best intentions of security professionals. Only by enforcing strong authentication, automating large parts of the identity and access management function and creating a pervasive culture of cyber hygiene, will this problem resolve.
  7. Let’s not ignore old favorites, weak passwords, patching, software change management, too much privilege and too much access.

Towards a Zero Trust Security Model and a New Day

Following the highly-publicized breach of the U.S. Office of Personnel Management (OPM), which exposed the personal data of millions of Americans, the U.S. House of Representatives’ Committee on Oversight and Government Reform issued a report recommending that federal information security efforts move toward a Zero Trust Security model.

The Zero Trust model centers on the concept that users inside a network are no more trustworthy than users outside a network,

“CIOs must move toward a Zero Trust approach to security that is data- and identity-centric — and in our view is the only approach to security that works. Forrester ‘Develop Your Zero Trust Workforce Security Strategy.’”

Cunningham, Chase, 5 Dec. 2017. pp.7-8.

Google’s BeyondCorp model entirely removes trust from the network, securely identifies the device and the user, and applies dynamic access controls, least privilege and context aware policies. While they have no complete solution for customers, they have provided what many security analysts feel is the most compelling reference architecture to date.

The Google BeyondCorp approach mirrors the Centrify Zero Trust Security approach. It has always been our goal to provide organizations with the best-of-breed technologies they need to secure their organizations — not through a porous and indefensible perimeter, but through a unified, identity-focused platform that serves all users and their access to all resources, including both apps and infrastructure

Instead of the old adage “trust but verify,” the new paradigm is “never trust, always verify.”

Effective Zero Trust Security requires a unified identity platform consisting of four key elements within a single security model. Combined, these elements help to ensure secure access to resources while they significantly reduce the possibility of access by bad actors.

To implement Zero Trust Security, organizations must:

  1. Verify the user
  2. Verify their device
  3. Limit access & privilege
  4. Learn & adapt

This approach must be implemented across the entire organization. Whether you’re giving users access to apps or administrators access to servers, it all comes down to a person, an endpoint and a protected resource. Users include your employees, but also contractors and business partners that have access to your systems.

Measuring and Managing Information Risk to Maximize Cybersecurity Efficacy

Chip Block VP at Evolver Inc. in his excellent whitepaper “Successful Matchmaking of NIST 800-63-3 Digital Identity Guidelines and Monetary Risk using the FAIR Standard” examines the efficacy of several different approaches to implementing NIST 800 standard for multi-factor authentication.

FAIR (Factor Analysis of Information Risk) is the open standard being adopted across commercial and government organizations to determine cyber risk in monetary terms.

The example in the white paper examines a typical approach to achieving 2-factor authentication and the associated costs for initial purchase and annual maintenance. The problem with this example is that IT can only guess what level of risk reduction the $3M initial investment and recurring $2M will bring.

Using the FAIR analysis identifies the primary areas of risk associated with key data assets. From this analysis, the systems needing the most protection are identified in a monetary method, indicating where tight authentication is required. Using NIST 800-63-3 as a guideline, decisions can be made as to the type of authentication required to protect different classes of assets.

In the first example where executives were briefed, there was no guarantee of results in risk reduction. Using the FAIR analysis and protecting only users with access to the high risk assets with hardware authentication and users with access to the rest of the data without hardware authentication, resulted in a total cost of $800K, with ongoing cost of $110,000. More importantly the CIO could present to the board an estimate of the ALE  of $50M in return for the initial and ongoing investment.

FAIR promises to help organizations make logical decisions based on monetary quantification. Spending tight security dollars in the right places to reduce risk, can bring a new day for security professionals.

Learn more about Zero Trust Security here.