We Have Prevention Bias

One can say that there are three stages of information security operations: Prevention,Detection, and Response. Of the three, it is usually prevention that gets the most attention. It recalls the old saying, “an ounce of prevention is worth a pound of cure.”

Prevention is stopping something from happening. Bias is partiality for a perspective based on beliefs or feelings rather than facts. Prevention bias is favoring the expenditure of time, effort, and money on preventative measures at the expense of Detection and Response.  Even though most will freely admit that we cannot prevent a breach – if a threat actor or group wants to break in and is persistent enough for a long enough period of time, they will likely succeed – companies in the U.S. show an inherent bias toward spending on prevention. Firewalls, IPS, Anti-Virus, DLP, NAC, DRM, Endpoint Agents -- in spite of a pervasive awareness that at some point the effectiveness of preventative spend declines, we have an inclination toward investing in yet more and more prevention. At first, the risk is reduced a great deal, but once that much infrastructure is in place, not so much.

An appropriate balance between Prevention, Detection, and Response is in order. Some examples of detection – consisting of monitoring and alerting --include log aggregation and the use of a SIEM; ensuring 24/7 coverage through automation, staffing, or the use of an MSSP; and tuning your policies over time so that only actionable events result in an alert. Examples of response activities include having a dedicated Incident Response Team or available MSS Red Team; having a documented playbook or collection of procedures to follow should a breach be identified; tracking metrics to gain insight into trends in your environment; and vulnerability and penetration testing, which can be conducted internally or using a third party to guarantee unbiased results.

Statistics from the Ponemon Institute’s 2016 report on breach costs shows that not only do we have a prevention bias, it also costs us money. The Mean Time To Identify (MTTI) breaches among U.S. companies in 2016 was 191 days. The Mean Time To Contain (MTTC) was an additional 58 days. This lag increases the total mean cost to $17M, a 36% increase over breaches discovered in less than 100 days, or contained in less than 30 days.

cyber-attack-breach-costs-2016

Dollar figures listed in millions

There are other breach cost metrics available in the Ponemon report, such as breakouts by industry vertical in which a per-record lost, or per-capita cost, is assigned.  In 2016 the mean was $221M per capita, with the Healthcare vertical far above that at $402M, Education close to the mean at $220M, and Hospitality far below that at $148M. Knowing the mean per-capita cost of $221M and with probability metrics that indicate U.S. companies have a 24% chance of suffering a breach loss of at least 10,000 records in the next two years, some other interesting figures come to light: there’s a 1 in 4 chance your company will have to cover at least $2.2M in breach costs in the next 24 months.

It is vitally important, then, that security programs are prepared should a breach occur.  Most security practitioners would agree that it is not a matter of if but when that may arise, with the hope that it has not already happened. Increasing capabilities in detection by using Managed Security Services to monitor and alert is a smart and effective way to resolve prevention bias: MSS starts up very quickly with little or no capital expense, establishes capable procedures immediately, is staffed with qualified personnel, and is likely to cost much less than it would if a company chose to build its own SOC.

In calculating the costs of building your own SOC, consider that in many or most markets, it will cost $120,000 annually per staff member for payroll and total benefits, with at least five staff members to monitor and alert 24/7/365. SOC planning, hardware costs, and deployment costs could easily exceed $200,000, which leads to an estimated minimum $800,000 cost for a small-medium sized company to build and staff their own SOC with capabilities of monitoring firewalls, IPS, and AV.  Adding more monitoring capabilities would increase the cost.  By comparison, using MSS is a much better ROI.

 Build versus Buy Security Operations Center