Sony. Anthem. The Office of Personnel Management. Target. Yahoo. The past two years have seen one mega-breach after another—and 2017 promises to be the most catastrophic year yet.
Security experts have long warned that most organizations don’t even know they’ve been breached. Attackers rely on stealth to learn about the network, find valuable information and systems, and steal what they want. Only recently have organizations improved their detection efforts and started investing the time, capital, and people needed to uncover vulnerabilities. When they do, the results are often alarming.
“I think we are going to find more, not less, breaches in 2017,” says Ray Rothrock, CEO of RedSeal, a security analytics firm.
All the big breaches thus far have had one trait in common: The initial malware infections or network intrusions that gave attackers a point of entry into the network “all hark back to 2013,” Rothrock says. “A lot of bad stuff got unleashed into the world then, which found its way into corporate and government networks.”
stolen from law firm Mossack Fonseca last year if the files had not been leaked to journalists. The 2015 ABA Legal Technology Survey Report found that 23 percent of respondents at firms with more than 100 attorneys reported a security breach, but the names of the affected firms are not public. If plans for new airplanes from aerospace companies or research on new drugs are stolen, details of the breaches are known only to the affected organization, the consultants hired to assess and remediate, and possibly law enforcement—if they were called.
“We [Red Seal] have seen a lot of business as a result of exfiltration that [companies] don’t have to report. We get the call and we go in to address the problem. And I am sure we are not alone,” Rothrock says.
Online security and privacy nonprofit Online Trust Alliance looked at preliminary year-end data and estimated there were approximately 82,000 cybersecurity incidents impacting more than 225 organizations worldwide. “As the majority of incidents are never reported to executives, law enforcement or regulators, the actual number of incidents causing harm combining all vectors including DDoS attacks could exceed 250,000,” OTA said.
Tallying the costs
Data breaches are expensive—and there’s more to the bill than the immediate costs of notifying the victims and hiring consultants and forensics investigators to find and fix the problem.
Other costs include downtime, lost productivity, customer churn, and lost revenue. When organizations discover breaches years after the fact, as Yahoo recently did, they must also pay for what Rothrock calls “engineering services” as part of recovery and remediation costs.
If a breach took a long time to be found, then something about the existing infrastructure made it hard to discover the weakness sooner. That calls for rearchitecting the infrastructure, typically an expensive and time-consuming project. But that imperative is not always heeded. “Most people don’t try to figure out what they have and keep adding more stuff,” Rothrock says.
Restructuring our defenses
The growing complexity of networks—with cloud deployments, the advent of the internet of things, and the fluid movement of data across multiple devices—makes it more and more difficult for IT and security teams to navigate all the layers. For the attackers, though, nothing has changed. Malware will keep infecting these new systems and attackers will keep hunting for data to steal.
“It’s harder to find the needle in the haystack when the haystack keeps getting bigger,” Rothrock says.
At the same time, available security defenses are far better today than they were three years ago. Rothrock uses a metaphor from the construction industry: Consider how modern buildings are constructed, with sensors to detect heat, gas leaks, and changes in pressure. Walls are built with fireproof materials and there are protective measures in place to prevent fire. That’s the kind of reengineering IT needs to prevent attacks up and down the stack.
“Old skyscrapers are sitting ducks, as we learned when a few burned down. New skyscrapers almost never have fires,” Rothrock says. “We have to do that for IT.”