By missing the upside of recent data breaches, we lose the opportunity to improve

The natural focus on what went wrong with recent breaches prevents us from focusing on what went right. Exploring what worked is a pathway to improvement.

In the wake of the recent wave of data breaches, focus is largely placed on what went wrong. It's natural. That allows people to both demonstrate prowess and provide useful insight for future prevention (or, if appropriate, to assign blame).

The downside of focusing on the negative aspects is the missed opportunity to isolate and learn from what worked.

When the news of the Target data breach broke in the middle of December, it was reported that the attack started on or about Black Friday... just weeks before.

The 2013 Data Breach Investigation Report (DBIR) published by Verizon reported that two thirds of breaches took months or longer to detect. In 4% of the cases, it took years.

Yet a major breach was uncovered and acted on in a matter of weeks?

That's remarkable.

Overlooking the upside: (more) rapid detection

It wasn't just Target, either. Neiman Marcus, Michaels, and other data breaches are coming to light much quicker.

Is it fast enough?

Probably not. But it’s an improvement.

What lessons can we learn and apply more broadly?

Is all detection equal?

These recent breaches are the result of targeted (some even call them "sophisticated" and "complex") attacks on payment systems for popular (or large) retailers.

The nature of the payment system means external detection on the part of processors, banks, and other merchants is likely.

So what?

Before dismissing the method of detection, consider what worked. Use it to advance conversations and ways to think about how to improve detection overall.

In fact, in the same DBIR, it was reported that 69% of breaches were detected by an external party, while only 9% were spotted by the company itself.

That simply signals a need to reconsider the role of external detection.

The importance of external detection

Sure, having a customer call you and report a breach is both troubling and rife with potential errors (and liability).

Think broader than just customers.

Figure out who also benefits from the detection. In the case of retail and payment cards, the processors, banks, and other merchants have a vested interest in protecting the way they collect revenue.

External detection deserves a bit more focus and coordination. Is there a way to make it stronger, better?

Let's discuss and explore that.

Prevention or detection? Yes, please.

Prevention, detection, and awareness (not the conflated concept security people can't seem to get right) are all connected.

Rather than debating which is more important, consider them a system with three basic parts:

  • Prevention: more than the steps taken to reduce risks, prevention informs where to look for problems based on a variety of factors
  • Internal detection: internal efforts to look for systems out of compliance, markers of compromise, and the evidence necessary to run more efficient operations
  • External detection: relying on the network of partners and others to signal if/when things are not functioning as expected

Environmental awareness helps direct all three activities.

Now that retailers are broadly aware of targeted attacks on POS systems, they can act to prevent future attacks, configure internal detection (more on this next week; meantime, here is a detailed technical report from Ron Gula at Tenable), and contribute to improved external detection.

While retail provides a good example and immediate opportunity, other sectors benefit, too. The energy/utility sector is making an effort to improve how information is shared; maybe retail holds some insights to benefit those efforts.

Keep in mind that the real opportunity is industry-wide.

First step: visualization is key

The first step is to bring visibility to the entire system/process under consideration. We need to have a clear picture of how information flows through the system. It doesn't need to be fancy or overly detailed, just accurate and effective.

With a visual - and shared - understanding, consider the essential areas that either require protection (prevention) or detection. Improve the effort by considering the evidence when something works, and then asking about the signs of when something goes wrong.

And then ask another question, “who is likely to notice the trend?” Figure out how to empower that link.

In the wake of breaches, it is important to look at what went right -- regardless of whether it was intended or not -- to guide future improvements - prevention, detection, response, or other.

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline