Shostack + Friends Blog Archive


Why Do Outsiders Detect Breaches?

So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection technologies and process.

One common element of third party connections is that they tend to be constrained in various ways including firewalls, structured database queries, and suspicious administrators looking to point fingers. They also, being on trust boundaries, may be better places to deploy and tune an IDS.

And it seems to work, given that 86% of breaches are found in these relatively constrained environments. So what’s the takeaway? Have more partners? Outsourcing is good for security? (I’m not sure if I’m being facetious here.)

It’s hard to deploy IDS within a company (as shown by the 14% of breaches detected internally). A big part of that is that in-company data flows get very complex very quickly. So what to do?

We could throw up our hands and give up, or we could look to see if similar conditions might exist internally at many large organizations. And I think they do. One property of big, complex systems is that they’re hard to manage. Because they’re hard to manage, groups inside a company form service level agreements with other groups to ensure that they have mutual commitments. So perhaps a good rule of thumb would be to deploy IDS near SLAs. (There’s a tie here to Gunnar Peterson’s rule to start from the overall IT budget.)

One of the points that Andrew and I made in the book is that data isn’t enough. We all benefit from different perspectives and interpretations of that data. What do you think? What should we learn from the fact that almost all breaches are currently detected by third parties?

5 comments on "Why Do Outsiders Detect Breaches?"

  • gunnar says:

    “What should we learn from the fact that almost all breaches are currently detected by third parties?”

    I would qualify the above.

    “almost all REPORTED breaches are currently detected by third parties.”

    One thing we might ask is – are there a like number of breaches that were not detected by third parties and were also unreported.

  • haroonmeer says:

    When you say “86% were discovered by a third party.” and then offer “Outsourcing is good for security?” as a possible solution (even in jest), it seems to conflate 3rd parties (as in companies related to company that was breached) and 3rd parties (as in the rest of the world who are not the company that was breached).

    If the 86% was comprised of the former, then more outsourcing might help, but if it was the latter, then its purely just that the “rest of the world” is a lot of possible people :>

  • Mark Kelly says:

    My take is that an organization should consider using “external” detection mechanisms to determine if they have been compromised. This could involve keeping a presence on hacking marketplaces (in a secure manner) and also using company affiliates to report issues that appear suspicious.

  • LonerVamp says:

    I have been remiss and have not read the report yet, but wanted to jump in. And I agree that the 86% figure *should* jump out; it’s scary, and always has been.

    But I would guess that most of those breaches detected by 3rd parties are not of the type where the 3rd party truly *detects* the breach so much as happened upon it. For instance, these two scenarios I bet happen often:

    1) Enough customers of card brand X report fraud, which is eventually traced back to a retailer that was breached and leaked out card data. Similarly, if my email address is being used for spam and I only used it at site A, well, site A better check their junk.

    2) Security reserchers break into a known malicious box and discover 5GB of stolen data, belonging to various companies, whom they notify. Also included in this would be data pilfered off confiscated equipment due to arrests.

    Basically, my guess would be that it’s not that 3rd parties have better technology or analysts or detection mechanisms…they’re just closer to where the data is first used.

    I consider this to be a similar vein to when a sysadmin logs onto a server that is running strangely and happens to find some strange tools and connections running. By sheer chance a breach may be discovered. And that’s *not* to do with the actual security team or controls. That stuff is equally as scary, if you ask me.

    Maybe when I read the report, there is another figure that tells how many breaches were *detected by specific security controls* including how many records that affected. That might tell more of the real story.

  • @jonspeer says:

    I’ve been intrigued with this as well. As previous poster mentioned the data is dominated by CPP (fraud detection and correlation to a common point) as well as law enforcement notification (not clear what % is still credit card data). Would be fascinating to see what the data looked like without credit card data.

Comments are closed.