Preventive Security - Alive or Dead
There are some new buzz words in the cyber security industry today. Terms such as “data-driven security” and “security analytics” seem to be in the forefront and what all of the “cool” kids are talking about while the “old-timers” dig in and continue to believe that all security problems can be easily solved using customary prevention and detection methods. So who’s right? The answer is, at least to me, they both are. Both schools of thought are correct because implementing a data-driven defense strategy does not replace your existing preventive strategy. A Data-driven cyber security framework will only enhance and amplify an organization's already existing cyber security strategy.
The 2016 Verizon Data Breach Investigations Report
(VDBIR), which should be mandatory reading for all security professionals, uses a finalized data set that is made up of 64,199 (adjusted from over 100,000) security incidents of which approximately 2600 (adjusted from 3,100) were confirmed data breaches. These numbers may seem staggering at first and one could hardly blame another for concluding that preventive security measures are failing us but as we dive further into the VDBIR and other industry reports the real picture begins to become clear. It is not that preventive measures are failing organizations. The problem is usually that organizations, for whatever reason (budget, skill-set shortfall, etc.) seem to be the ones that are dropping the ball when it comes to security prevention safeguards.
|Active Data Breach Landscape|
Let’s take a look at the data breach landscape
over the last couple of years. In 2014-2015 we observe through reporting that organizations were often extremely negligent when it came to implementing even the simplest of mandatory security prevention techniques. Let’s take the US Office of Personnel Management (OPM) data breach for example. This breach resulted in a loss of over 21 million records of individuals and their Personally Identifiable Information (PII). The report filed by the Office of the Inspector General concluded that “OPM did not maintain a comprehensive inventory of servers, databases and network devices”. In reality, the auditors were unable to tell if OPM even had a simple vulnerability scanning program in place. So, as we see here with OPM, it is not that preventive security measures failed us. It was the improper (or in OPM’s case lack of) implementation of preventive security measures that failed us which unfortunately seems to be more the “norm” rather than the exception these days.
With the assistance of data analytics, we can clearly see that cyber security prevention is certainly not dead. What the data is telling us though is that across the industry we need to be more competent and proficient in implementing both our preventive and detective security solutions and defenses. Only after this is accomplished successfully will organizations then be poised to begin overlaying a data-driven cyber security framework and reaping the rewards of becoming more laser focused on the most critical threats that may harm their organization.