If we assume that data breaches are inevitable—and continuous—what’s the best way to forge ahead? According to Michael Harris, CMO at Guidance Software, the only thing to do is to just go with it.
“Embrace the breach,” he said in an interview during the Enfuse 2017 conference. “These are going to happen, and they’re going to happen more and more frequently. It will be a state of continuous compromise, and it can come from all corners. Maybe hackers, or maybe these come down to insider threats and human error. Regardless, companies have spent an inordinate amount of money on prevention but not enough in training employees how to deal with it once it happens.”
A lack of effective response is what makes any data loss and the resulting brand impact even more acute—but Harris says that a lack of incident response planning and very little information-sharing plagues companies’ efforts.
“The breaches you know about account for only about 1% of total incidents—we can’t talk about most of them,” he said. “The high-profile situations like WannaCry and the Office of Personnel Management breach are just the beginning. Imagine all the compromises that aren’t publicized and aren’t discussed—most businesses only want to discuss incidents internally because there’s a stigma attached to being breached and they don’t want to put their brands in jeopardy.”
That, he noted, is simply the wrong way of thinking about it. Companies shouldn’t be castigated for being breached in the first place, nor should CEOs be fired—especially given that most breaches start with one employee clicking on a phishing email.
“Now, if the threat lingers for 200, 300 days and ongoing, endemic exfiltration damages the company and its reputation, then that’s when people should be held accountable,” Harris said. If you’re oblivious and have a lack of adequate response, that’s where the problem comes in.”
Instead, he counsels companies to throw away the fear.
“Eliminate the stigma of breach. It’s time to deal with breaches openly and honestly—and make sure you have tools, training and know-how to respond when they happen,” Harris said. “If you spend all of your time investing in achieving 100% prevention you’ll fail. Prevention is important—but cyber-response is essential.”
Having a more open dialogue about breaches will open the doors to information-sharing as well.
“If you keep these things secret none of the rest of us can learn from what happened,” he said. “We need intelligence sharing, and I hope there’s a more open dialog about, say, what company A was able to do this to prevent damage.”
Achieving a state of agile and effective response isn’t easy, of course. Most enterprises suffer under the weight of siloed, legacy systems that don’t talk to each other and increasing complexity—not to mention a serious workforce shortage. By 2022, the workforce gap in the US alone is expected to stretch to 1.8 million open positions.
“These companies need tools that are usable by the less skilled analysts, the tier 1 personnel,” Harris said, noting that Guidance recently revamped its user experience to be more usable for less skilled workers. “Our products have always been aimed at the heavily skilled, tier 3 analyst that specializes in deep forensics. We will continue to do that, but our customers have been demanding to make forensics more consumable because there’s a lack of that kind of talent out there.”
In other words, tier 1 analysts could offload work from the security operations center (SOC) in terms of being able to respond to an alert or potential issue. Using simpler tools, they’re able to perform a first-line triage on an event to determine whether the issue is a false positive or a verified concern—and then can hand it off were it needs to go for deeper analysis.
“The lack of skilled personnel is a pervasive issue and it’s never going away,” Harris said. “Yet, cybercrime is never going away either, so every company needs this type of skill. It’s a real problem.”