Connect with us

Hi, what are you looking for?


Incident Response

We Can’t Give Up on Preventing Breaches

Preventing Data Breaches

Preventing Data Breaches

Despite a resolutely bullish rise in security spending — Gartner estimates the total reached a staggering $75 billion for 2015 — we continued to see record-high numbers in terms of data breaches and personal records lost.

So what gives? Where is this money going and why isn’t it having a measurable impact?

Much of the answer can be found in organizations’ belief that data breaches are inevitable. They’ve shifted the lion’s share of their new spending into identification and cleanup, and are now neither demanding nor expecting that their investments will prevent security incidents in the first place. Particularly on vulnerable endpoints — user systems mostly — this leads to a problem of compounding complexity. More machines are suspect, more traffic is designated for analysis, and infected systems generate volumes of traffic which flood even the best monitoring and analytics. The problem gets worse as more types of attacks need to be watched for, as attack infrastructure becomes more dynamic, and as more user functions take place in SaaS or cloud-based systems, moving those operations from local to network events.

To cut the attack chain short we need to focus on where it starts — user endpoints.

In the mid-1990’s, the most common attacks were against servers and infrastructure. That’s where the important data was, and in an absence of strong protections, it was the most logical and efficient place for attackers to go. They could get direct access to the information they wanted.

But that was 20 years ago. Security for servers and hosting centers is now much better understood, and the problem is manageable, with limited numbers of authorized users, systems, and predictable connections and transactions. Advances in security have created more secure datacenters and there are well-known best practices for locking down central shared resources against direct attacks.

As organizations moved more and more services to these datacenters, however, user access to information also became more distributed and richer. Naturally, attacks were then retargeted to user systems. They are much more numerous, less consistently protected, and their operators are often neither aware of security concerns or even particularly technical. What’s more, the applications that dominate the users’ days (mail programs and browsers) exist specifically to bring outside content onto that local machine, whether that content is malicious or not. As a result, these user systems present a perfect blend of human and machine weaknesses to make the distribution of attacks automated, inexpensive, and uncomplicated.

Advertisement. Scroll to continue reading.

The Snowball Effect: 4 Stages of Cyber Attack Response

While it is true that some number of systems will likely be always breached, it is also true that for every machine that resists a breach, there are many downstream savings. While it’s obvious that stopping a breach earlier saves money, the scope of this savings is pretty amazing.

1) The Best Case Scenario: Prevent Infection in the First Place

Most malicious software begins its life on a system as an invader of some other process’ space and resources. It infects a browser or a productivity program and uses those resources and privileges to make itself persistent and to get to work. If stopped here, as it is trying to take over a legitimate process, then there is very little impact aside from the attacked process having to restart.

2) Clean Up and Prevent the Spread

If the infection is successful, though, good malware will have the access it needs to corrupt the system and begin to steal credentials, lock-down resources, or exfiltrate data. At this point, the user’s system is pretty much a loss, and will likely need to be reloaded from backups (if they exist). If detected here (likely through some host-based monitoring), the damage is limited to this one machine. The impact may be painful, but at least it’s contained and easier to analyze.

Unfortunately, most attacks are not identified at this point.

3) Investigate and Quarantine

According to the Ponemon Institute, the average time to detect is more like 14 weeks, and is usually seen first by customers, partners, or law enforcement. Sometimes it will be seen by a good Managed Security Services provider or SIEM. During those weeks, though, the infection is spreading.

Shared resources are a common way that other machines are infected, as are the password and credential sniffers resident in most malware. All it really takes is a few days for the infection to spread to others connected to the infected user, and then spread further, onto machines that share a connection with the new victims. At this point, the damage escalates quickly. The cost of remediation also swells, as the investigation required to understand which machines are infected, what kind of data has been lost, and how much resetting of credentials and authorization needs to be done becomes increasingly complex and time-consuming.

4) Disclose, Notify, and Pay

Even this is not the end of the chain. Once an organization is effectively breached, then the most damaging events occur. Private employee and customer data is stolen or encrypted, sensitive emails are accessed, and organizational reputation begins to suffer publicly. Regulatory pressure, fines, and audits are likely, as is the potential for liability claims among these later victims. The costs are almost unlimited, and they continue to grow as the courts begin to understand the potential for injury and attorneys recognize the opportunity for pursuing civil damages.

The old axiom continues to hold true: Prevention beats cure.

As following this chain of impact shows, security investment needs to be rebalanced to more logically address both prevention and detection. We may not be able to stop every end-user system breach, but stopping them as close as possible at the point of infection is the clearest way to simplify our security, reduce our costs, and permit security teams to focus on the strategies and symptoms of the most sophisticated and targeted attacks.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.