Why Do Outsiders Detect Breaches?
So I haven’t had a chance to really digest the new DBIR yet, but one bit jumped out at me: “86% were discovered by a third party.” I’d like to offer up an explanatory story of why might that be, and muse a little on what it might mean for the deployment of intrusion detection technologies and process.
One common element of third party connections is that they tend to be constrained in various ways including firewalls, structured database queries, and suspicious administrators looking to point fingers. They also, being on trust boundaries, may be better places to deploy and tune an IDS.
And it seems to work, given that 86% of breaches are found in these relatively constrained environments. So what’s the takeaway? Have more partners? Outsourcing is good for security? (I’m not sure if I’m being facetious here.)
It’s hard to deploy IDS within a company (as shown by the 14% of breaches detected internally). A big part of that is that in-company data flows get very complex very quickly. So what to do?
We could throw up our hands and give up, or we could look to see if similar conditions might exist internally at many large organizations. And I think they do. One property of big, complex systems is that they’re hard to manage. Because they’re hard to manage, groups inside a company form service level agreements with other groups to ensure that they have mutual commitments. So perhaps a good rule of thumb would be to deploy IDS near SLAs. (There’s a tie here to Gunnar Peterson’s rule to start from the overall IT budget.)
One of the points that Andrew and I made in the book is that data isn’t enough. We all benefit from different perspectives and interpretations of that data. What do you think? What should we learn from the fact that almost all breaches are currently detected by third parties?