Data Breaches: Is Prevention Practical?€¦ · 2 Data Breaches: Is Prevention Practical? SANS conducted this survey to explore how organizations are handling prevention. Breaking

A SANS Survey

Written by Barbara Filkins

Advisor: John Pescatore

September 2016

Sponsored by

Palo Alto Networks

Data Breaches: Is Prevention Practical?

©2016 SANS™ Institute

Data breaches are on the rise. The number of breach notifications issued by the New York

State Attorney General’s office, for example, has risen 40% during 2016 compared with

the same period a year earlier.1

Data breaches are only the tip of the cyber iceberg, however. We trust in and depend on

our digital environment, making us all more vulnerable than we might care to consider.

In June 2016, New York Magazine painted a fictional scenario in which a group of

European hackers effectively shut down New York City, reminding us that perhaps our

entire modern way of life is at stake. The events described in the story—a “connected”

car commandeered, access to online medical records blocked, a police dispatch center

rendered inaccessible, drinking water tainted with an uncontrolled release of chlorine—

were basically benign, but highly disruptive, especially when they cascaded. The article

was developed based on various hacks that had been executed before and, taken

together, present an “open-source blueprint available to anyone with an interest in

remote-control terrorism (and the time and manpower it requires).”2

The NYC scenario also assumes that “the average data breach is only identified five

months later,”3 a lag that can increase the cost of a breach astronomically. According

to the 2016 Verizon Data Breach Investigations Report (DBIR),4 organizations struggle

with an increased “detection deficit” (the time between detection and compromise) that

results in their failing to detect breaches before it’s too late. Sadly, the first indication of

trouble may be a notification from a customer or other third parties.

Businesses must still focus their limited security resources on the important tasks of daily

operations, incident response and remediation, but given current trends, prevention

must take on new urgency. How can organizations detect more rapidly or even prevent

incidents that could result in a breach? How can organizations build an effective security

program around prevention?

SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?1

Executive Summary

1 http://blogs.wsj.com/cio/2016/05/05/data-breaches-rise-while-companies-struggle-to-detect-them/

2 , 3 http://nymag.com/daily/intelligencer/2016/06/the-hack-that-could-take-down-nyc.html

4 www.verizonenterprise.com/verizon-insights-lab/dbir/2016/?utm_source=pr&utm_medium=pr&utm_campaign=dbir2016

Executive Summary (CONTINUED)


SANS conducted this survey to explore how organizations are handling prevention.

Breaking down possible preventive measures into four major categories or domains

(business, architectural design and development, operational, and technology), the

survey sought to answer three major questions:

1. What measures have respondents implemented that they believe

will prevent breaches?

2. What measures not necessarily implemented do respondents

consider preventive?

3. What barriers have stopped respondents from doing what they

should be doing?

What was notable is that overall results show striking

inconsistencies between what measures respondents

consider preventive compared with what they have

implemented as preventive, raising some key questions.

(See sidebar.) The minority (i.e., less than 40%) of

respondents have implemented business measures that

the majority (i.e., more than 50%) consider preventive.

Similarly, most respondents consider robust testing and

development plans and procedures as preventive, but

only half have implemented these architectural measures.

Operational measures considered preventive trail those

implemented, the exception being newer approaches

such as cyber threat intelligence and data governance.

Apparently, respondent experience with a measure shows

a certain disenchantment with a measure’s ability to

prevent. SANS can only speculate why because this survey was not designed to uncover

specific underlying causes. However, two possible factors come to mind.

First, given today’s rapidly evolving threat landscape, prevention requires measures

beyond more traditional methods, such as signature-based detection, to prevent attacks

or breaches. Although more than 80% of respondents have implemented technology

that blocks known malware and vulnerability exploits, slightly less than 50% consider

these technical measures effective.

How do you manage what you cannot measure? Nearly 60%

consider metrics-based evaluation and reporting preventive,

but less than 40% have implemented it.

How can advanced technology help deal with the unknown

unknowns? While 85% implement technical measures to block

known malware as preventive, less than 40% consider these

measures to actually be preventive.

How can you tell if you are secure? 63% consider robust testing

as preventive, but only 39% have implemented it.

Should the emphasis be on compliance (posters in the

lunchroom, for example) or prevention (active phishing testing)

to reduce user errors? 67% implement user awareness and

training as preventive, but only 56% consider it preventive.

Executive Summary (CONTINUED)


Second, organizations must invest more fully in what they have, in terms of both staff

and technology. Available staff and the inability to secure budgets and proper skill sets

lead as barriers to implementing preventive measures, with another potentially critical

factor also emerging: infrastructure limitations that cannot support the automation

required or (possibly) already acquired.

Together, these factors point toward the improved use of automation, the force

multiplier that can augment the security workforce faced with an increasing volume of

attacks, continually putting defenders on the “losing side” in the cyber battle. Preventing,

not just detecting and responding to, incidents and attacks before either causes

harm allows an organization to focus valuable and limited resources on the small

number of truly targeted attacks that require human intervention.

Implementing effective prevention practices requires understanding the

executive decision-making processes that can affect the security posture of

an organization. The top four barriers identified under the business domain

(see sidebar) highlight the basic approach to overcoming these limitations.

First, develop firm requirements to meet the needs from functional,

technical and programmatic (cost, schedule and resources) perspectives.

Next, with requirements in hand, prioritize and justify the preventive

measures—procedures and tools—to achieve management buy-in and

secure a working budget.

In general, all businesses prioritize methods to avoid problems and mistakes.

They also maintain reactive response measures for the time when something

does go wrong. However, organizations can learn about cyber prevention from

industries such as aviation and medicine that must prioritize prevention to avoid

safety issues and preclude bad outcomes. These industries invest in prevention from

both a clear, long-range strategic vision and short-term operational strategies based on

specific, consistent best practices ideally assisted by automation. Organizations need

to embrace cyber prevention in the same way—before the hypothetical New York City

scenario becomes a reality.

Inability to secure budget

No firm requirements as to what

exactly is needed

Lack of management buy-in

Lack of justification

Top Four Business Barriers

to Prevention

25%

30%

22%

21%

The Challenge


While many organizations remain overwhelmed by responding to security incidents,

some have been effective in preventing at least some potential breaches—and many

would like to be more proactive.

In a December 2015 paper, SANS outlined the concept of a “breach cycle,” where a

breach is defined as “any impermissible acquisition, access or disclosure of sensitive

information.” Table 1 provides an initial segmentation of the activities associated with

each era in the cycle. Previous SANS surveys have evaluated what happens during an

attack or compromise5 and the impact after a breach.6 In this study, SANS explores

what measures could be applied in the pre-breach era to prevent a breach from actually

occurring.

SANS conducted a 23-question survey to answer three major questions:

1. What measures have respondents implemented that they believe will

prevent breaches?

2. What measures not necessarily implemented do respondents

consider preventive?

3. What barriers have stopped respondents from doing what they

should be doing?

For this survey, preventive

measures are defined as

those related to “anticipating

concerns that could lead to a

breach.”

Pre-Breach Era (All Incidents)

Incident Handling Steps:

• Preparation

• Identification

• Containment

• Eradication

• Recovery

• Lessons learned

Breach Era (Incident as Breach to Near-Term

Remediation Complete)

Determination of Incident as a Breach:

• Root-cause determination

- Forensics

• Near-term remediation

- Data recovery

Post-Breach Era (Near-Term Remediation to ?)

Long-Term Recovery:

• Legal

• Additional controls

• Customer or client support

• Reputation or brand protection and recovery

Table 1. Events in the Breach Cycle7

5 “Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey,” www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047

6, 7 “Cleaning Up After a Breach,” www.sans.org/reading-room/whitepapers/analyst/cleaning-breach-post-breach-impact-cost-compendium-36517

The Challenge (CONTINUED)


Prevention involves all roles and titles in an organization, as evidenced by 319

practitioners involved in breach response activities and in quantifying losses from the

breach of their organizations’ sensitive information.8 Security and IT staff were equally

represented (46% for both) in the respondent population. Security management was

represented by 20% of the respondents, including senior management roles such as CSO

and CISOs. IT management accounted for 16% of the total respondents. See Table 2 for

all respondent roles that completed the survey.

Table 2. Respondent Roles9

Category

IT Admin/Analyst

Security Admin/Analyst

Security Management

IT Management

Other

Senior Security Management

Compliance/Risk/Audit

IT Senior Management

Titles Included

System and network operations, developer

Managers, security architect

CEO/CFO/COO, business managers

CSO/CISO/VP of security

VP audit and privacy officer

CIO/CTO/VP of technology

%

30.5%

26.4%

15.3%

14.4%

4.7%

4.4%

3.1%

1.3%

8 Survey results were augmented by five in-depth telephone interviews with practitioners across the United States in a variety of industries.

9 Percentages add up to more than 100% due to rounding.



Figure 1 shows the distribution of respondents in terms of their organization’s industry,

size and net worth.

Banking and finance has the greatest representation at 15%, followed by education

(12%), government and healthcare (each 10%) and technology (9%). The majority of

organizations (78%) have workforces of 10,000 or less, and 22% have workforces larger

than 10,000. As far as net worth, 52% indicate revenues of $1 million to $999 million,

with 27% worth more than $1 billion and the remaining 22% worth less than $1 million.

Most respondent organizations were headquartered or had operations in the U.S.

(77%), but respondent organizations with operations in Europe (30%) and Asia (26%)

were also represented.

What is your organization’s revenue

or annual budget?

0% 20% 40%10% 30% 50%

Less than $1K

$100K to $999K

$1B–$2B

$5B–$7B

$1K to $99K

$1M to $999M

$3B–$4B

More than $7B

Oth

er

Go

vern

me

nt

Ba

nk

ing

an

d

fin

an

ce

Ma

nu

fact

uri

ng

Re

tail

He

alt

hca

re

Ed

uca

tio

n

Cyb

er

secu

rity

No

np

rofi

t/A

sso

cia

tio

n

Tech

no

log

y

16%

12%

8%

4%

0%

What is your organization’s primary industry?

Figure 1. Respondents’ Industry, Workforce Size and Net Worth

10

,00

1–

15

,00

0

1,0

01

–2

,00

0

Few

er

tha

n 1

00

15

,00

1–

50

,00

0

Mo

re t

ha

n 1

00

,00

0

2,0

01

–5

,00

0

10

1–

1,0

00

50

,00

1–

10

0,0

00

5,0

01

–1

0,0

00

30%

20%

10%

0%

What is the size of the workforce at your organization,

including employees, contractors and consultants?



The Respondent Breach Landscape

For this survey, breach is defined as “any impermissible acquisition, access or disclosure

of sensitive information.” Our respondents reported a variety of experience with

breaches according to this definition. Only 13% of survey respondents suffered at least

one major breach. Another 26% of respondents have had many incidents but no major

breaches (See Figure 2.)

The majority of respondents (61%) were either not aware of a major breach or did not

know. This result may be influenced by respondents who wish to avoid the stigma of

disclosure, yet this number is still alarming. Effective prevention starts with knowing the

possible vulnerabilities and exposures as well as investigation of possible incidents. The

percentage of self-attested breaches actually may be higher than 13%.

For those respondents who have suffered a major breach, known and unknown malware

or vulnerability exploits were the leading causes, leading to an observation that these

breaches may have been preventable with the proper tools for detection and blocking

of these attacks. (See Table 3.)

What has been your organization’s track record on breaches?

Figure 2. Respondent Track Record on Breaches and Incidents

We have had at least one major breach.

We have had many incidents but no major breaches.

We have had no major breaches that we are aware of.

Unknown/No input

Table 3. Respondent Breach Characteristics

Impact of Breach

Loss of intellectual property or personally identifiable information

Financial loss

Reputation/Brand loss

Regulatory/Compliance consequences

Method of Attack

Exploiting known vulnerabilities or delivering known malware

Exploiting unknown vulnerability or delivering previously unknown malware

Insider action with privileged access

Negligence

30.6%

19.4%

19.4%

16.7%

59.4%

27.0%

24.3%

24.3%

SANS first examined the preventive measures that respondents implemented,

comparing them with the measures respondents feel should be preventive but have not

necessarily implemented.

Business Measures

SANS selected the following business measures to evaluate:

• Metrics-based evaluation and reporting as a measure to provide visibility into

organizational security posture

• Scenario-based risk analysis to evaluate the organization’s risk profile

• Use of cyber insurance as a method for risk management (i.e., to transfer risk)

More than 50% of respondents consider the selected business measures

important to prevention, yet fewer than half have implemented them, whether

through procedures or automation. See Figure 3.

This discrepancy is especially surprising when it comes to the reporting measures.

Respondents realize that one cannot truly manage what one cannot measure—or

at least have visibility into the process. The need for and the absence of metrics is a

common theme across other SANS surveys as well. Defining, collecting and correctly

interpreting viable metrics, however, are not easy exercises, possibly accounting for the

inconsistency seen here. Prevention by its very nature will lack those more definitive

events, such as the time measured from discovery to remediation, which establish

quantifiable measures for incident response reporting and evaluation.


Measures for Prevention

The Four Domains of Measures

for Prevention

• Business measures are those tied to the

mission of an organization, providing

visibility into its security posture and its

approach to risk analysis and management.

• Architectural design and development

measures encompass establishment

of requirements, evaluation of design,

approaches to development and a robust

approach to testing.

• Operational measures can proactively

protect the critical assets of an organization.

These measures depend on a mix of

procedures and automation.

• Technology measures are those tools

that can identify and prevent known

and unknown threats (malware) and

vulnerability exploits.

What business measures do you consider preventive?

What business measures have you implemented?

Metrics-based evaluation and

reporting

Cyber insuranceScenario-based risk analysis

Other

Figure 3. Preventive Business Measures–Considered and Implemented

80%

70%

60%

50%

40%

30%

20%

10%

0%

Consider Implemented Procedures/Automated

Measures for Prevention (CONTINUED)


A similar observation can be made about the discrepancy in results for scenario-based

risk analysis. According to a December 2015 SANS survey on post-breach impacts,

“knowing where sensitive data is, what regulations apply, what systems and applications

this data resides in, who should and should not have access, and monitoring

sensitive data goes a long way toward preventing such breaches in the first place.”10

Scenario-based risk analysis can be an effective approach to first identifying potential

vulnerabilities related to given situations and then analyzing the potential consequences

through the use of effective solutions, built on procedures as well as automation.

The depth and the detail needed to make truly effective use of this measure can be

daunting. A scenario should also take into account the possible financial impact of the

hypothetical but potential breach. Together with test results from exercising the current

security controls, this information can result in the cost-benefit analysis needed to

establish a solid justification for new or improved preventive measures.

The fact that more than 50% of respondents consider cyber insurance a preventive

measure is also notable. In general, cyber insurance in and of itself may not be thought

of as a preventive measure, but the consideration of cyber insurance definitely

influences the preventive space because of its effect on the security hygiene of an

organization prior to securing coverage. Security brokerages and underwriters also

provide cost-effective cyber services to support organizations with both pre-breach

mitigation and post-breach remediation services.

There are lots of things

that can be measured,

but it is very unclear

which of them are in

fact worth measuring

(in terms of adding

value to security

decisions).

And since there are

very few “absolutes”

in security, there is

always the challenge

of making a

judgment about the

measurement value

that is “good enough”

in terms of

managing risk.

—A Measurement

Companion to the CIS Critical

Security Controls11

10 “Cleaning Up After a Breach,” www.sans.org/reading-room/whitepapers/analyst/cleaning-breach-post-breach-impact-cost-compendium-36517, p. 14

11 “A Measurement Companion to the CIS Critical Security Controls,” www.cisecurity.org/critical-controls.cfm, p. 3. Registration may be required.



Design and Development Measures

Design and development is where prevention should start to avoid fielding a potentially

vulnerable application or insecure infrastructure modification. These measures apply

throughout the system life cycle—not just at the start, but at anytime a major change

occurs that affects an application or the production environment.

SANS selected the following design and development measures to evaluate:

• Security policy and planning implementation supporting the establishment

of related requirements for infrastructure and application design, supporting

infrastructure needs, and operational procedures

• Architectural review of infrastructure, applications and systems, allowing

evaluation of potential vulnerabilities and related threats at strategic points in the

system life cycle

• AppSec/DevOps plans and procedures establishing best practices for secure

coding and integration into the larger production environment(s) of an

organization

• Robust testing procedures that help establish and maintain a secure configuration

baseline throughout the system life cycle

Survey results indicate that, although the majority of respondents (71%) practice initial

security policy planning and implementation, a large portion (46%) do not consider

policy planning and implementation to be a preventive measure. Results show that

organizations would be wise to consider improving their approach to robust testing and

AppSec/DevOps plans and procedures to increase their breach prevention capability.

See Figure 4.

Organizations realize

that application

security (AppSec) is

key to protecting their

data and the IT assets

that contain it. At the

heart of developing

and maintaining

AppSec is the ability

to continually assess

the security of an

application throughout

its life cycle, taking

into account the

environment into

which it is placed, how

users interact with it,

and how it interacts

with other systems and

applications.

—Assessing Application

Security: A Buyer’s Guide,

SANS, May 2016 12

12 “Assessing Application Security: A Buyer’s Guide,” www.sans.org/reading-room/whitepapers/analyst/assessing-application-security-buyers-guide-37000, p. 1.



One respondent also touched on a key element in an open-ended response to “other”—

change control, an issue that will be addressed under “Operational Measures.”

More respondents conduct architectural reviews of the infrastructure (63%) than

application and systems (54%), although they consider that the latter may be

slightly more critical (58% as opposed to 53%) to prevention. The overall security

of an application or system depends on how it functions within its environment—

as this survey shows later, the supporting infrastructure can be a barrier to proper

implementation of preventive measures.

Prevention should start with an architectural review that considers security across all

phases of the system or software life cycle—requirements, trusted software, interfaces

and integration into the production environment. The review process should also

incorporate risk analysis and threat modeling to establish possible adverse scenarios

and related test requirements. Testing should incorporate these negative scenarios to

identify exploitable weaknesses and mitigate potential threats.

Robust testing is hard. Organizations continually fail to test properly for a wide variety

What design or development measures do you consider preventive?

What measures have you implemented?

Oth

er

Arc

hit

ect

ura

l re

vie

ws

of

ap

plic

ati

on

s a

nd

sys

tem

s

Se

curi

ty p

olic

y p

lan

nin

g

an

d im

ple

me

nta

tio

n

Ro

bu

st t

est

ing

Arc

hit

ect

ura

l re

vie

ws

of

infr

ast

ruct

ure

Ap

pS

ec/

De

vO

ps

pla

ns

an

d p

roce

du

res

Figure 4. Development Measures—Considered and Implemented

80%

60%

40%

20%

0%




of reasons: lack of expertise to determine test requirements, design the process, and

analyze results; tools that are difficult to use; and budget and schedule constraints.

Another common problem is the lack of an appropriate test environment that simulates

production conditions, especially those that can affect the security of the platform under

test. In March 2015, thousands of students could not log into a Florida state exam when

the exam supplier American Institutes for Research failed to load test the platform for

multiple simultaneous logins.13

Operational Measures

Operationally, respondents appear to have implemented measures they are not

totally convinced are preventive. For example, user awareness and training has been

implemented as a preventive measure by 67%, yet only 58% consider it as such. Similarly,

59% have implemented asset management, and only 51% consider it a preventive

measure. Respondents are also looking to newer techniques and technologies, such

as cyber threat intelligence and data governance of sensitive data, as measures for

prevention, even though implementation still lags. See Figure 5.

What operational measures do you consider preventive?

What operational measures have you implemented?

Use

of

cyb

er

thre

at

inte

llig

en

ce

Oth

er

Inci

de

nt

resp

on

se

Use

r aw

are

ne

ss a

nd

tr

ain

ing

Ass

et

ma

na

ge

me

nt

Co

nti

nu

ou

s v

uln

era

bili

ty

mo

nit

ori

ng

an

d a

sse

ssm

en

t

Co

nfi

gu

rati

on

co

ntr

ol a

nd

m

an

ag

em

en

t

Da

ta g

ove

rna

nce

aro

un

d

sen

siti

ve d

ata

Figure 5. Operational Measures—Considered and Implemented

80%

60%

40%

20%

0%


13 www.linkedin.com/pulse/load-testing-failures-disrupt-state-exams-richard-akrofi



These results again raise the question of why organizations are not implementing what

they believe to be the most preventive measures. What are the issues impeding the

effectiveness of the measures most respondents consider preventive? One possible

explanation may be that, operationally, organizations focus too much on these measures

for compliance reasons rather than the outcomes needed for actual prevention

or business improvement. User awareness and training is a good example.

Various methods of phishing continue to be the primary vector for malware

attacks. Posters in the lunchroom or quarterly newsletters prevent nothing but

demonstrate compliance; active phishing testing, on the other hand, is a proven

technique to reduce successful phishing incidents.

Here is where utilization of the CIS Critical Security Controls can support better

breach prevention. The CIS Controls families are “recognized as a relatively

small number of prioritized, well-vetted and supported security actions,” and

the first five CIS Controls families are considered as first steps to be taken by an

organization in establishing an effective security posture.14

Respondents’ emphasis on the operational measures does not align with the best

practices as reflected in the prioritization of the CIS Controls. Most respondents

have implemented user training and awareness (67%), followed by continuous

vulnerability monitoring and assessment (65%), and incident response (63%). The

leading “foundational cyber hygiene” controls—asset management and configuration

control—are both lower than 60%. In fact, asset management trails all other measures in

respondent consideration as a preventive measure. See Table 4.

Table 4. Operational Preventive Measure Ranking Versus CIS Controls

CIS Control

1

3

4

8

13

17

19

Measure

Asset management

Configuration control and management

Continuous vulnerability monitoring and remediation

Use of cyber threat intelligence

Data governance around sensitive data

User awareness and training

Incident response

Consider Implement

%

50.9%

54.9%

56.3%

56.7%

59.8%

57.6%

52.2%

%

59.4%

58.5%

64.7%

50.0%

47.3%

67.4%

63.4%

Rank

7

5

4

3

1

2

6

Rank

4

5

2

6

7

1

3

14 “The CIS Critical Security Controls for Effective Cyber Defense,” www.cisecurity.org/critical-controls.cfm, p. 3.

Top Five CIS Critical Security

Control Families

CSC 1: Inventory of Authorized and

Unauthorized Devices

CSC 2: Inventory of Authorized and

Unauthorized Software

CSC 3: Secure Configurations for Hardware

and Software on Mobile Devices,

Laptops, Workstations, and Servers

CSC 4: Continuous Vulnerability Assessment

and Remediation

CSC 5: Controlled Use of Administrative

Privileges



Without effective asset and configuration management procedures and tools, an

organization may lack the foundation needed to protect its infrastructure, its critical

applications and systems, and its data with other measures such as continuous

monitoring and assessment.

Technology Measures

Respondents focus on blocking known malware (85%) and vulnerability exploits (81%)

for the preventive technology measures they have implemented. Respondents consider

that identifying and automatically blocking unknown malware (53%) and preventing

never-before-seen vulnerabilities (67%) are the leading preventive measures. See

Figure 6.

Figure 6. Technology Measures—Considered and Implemented

What technology measures do you consider preventive?

What technology measures have you implemented?

Oth

er

Ide

nti

fyin

g a

nd

a

uto

ma

tica

lly b

lock

ing

u

nk

no

wn

ma

lwa

re

Blo

ckin

g k

no

wn

ma

lwa

re

Pre

ven

tin

g n

eve

r-b

efo

re-

see

n v

uln

era

bili

ty e

xplo

its

on

th

e e

nd

po

int

Blo

ckin

g k

no

wn

v

uln

era

bili

ty e

xplo

its

No

ne

, on

ly m

on

ito

rin

g

ale

rts,

no

t b

lock

ing

Figure 6. Technology Measures—Considered and Implemented

80%

60%

40%

20%

0%




Respondents realize that identifying and blocking the “known knowns” are not sufficient

in the modern threat landscape, where cyber attacks are constantly evolving. According

to Dark Reading, “new zero-day vulnerability discoveries jumped by 125% in 2015, with

effectively a new zero-day exploit uncovered weekly, even as the total number of new

vulnerabilities reported and patched actually decreased by 15% compared with the

previous year.”15 Prevention requires technology, such as network-based anti-malware

tools, that can go beyond signature-based detection to identify, filter out or otherwise

cripple malicious code or content before it arrives at an endpoint it can compromise.

The expanse of data being collected and analyzed for both prevention and detection

also demands a “force multiplier” to enhance the productivity of skilled staff that is in

demand but in limited supply. Maintaining an effective organizational security posture

requires that visibility and management go hand-in-hand—you can’t manage what you

can’t measure.

Many of the preventive measures previously highlighted—metrics-based evaluation and

reporting, continuous vulnerability monitoring and assessment, asset and configuration

management—require automation to achieve the desired outcomes and benefit the

business.

Proper security instrumentation across all layers in the computing continuum—network,

systems, endpoints, apps—delivers the event indicators that allow visibility. Use of

background processing with advanced techniques (e.g., machine learning) and cyber

threat intelligence sources reduce the load on human analysts, allowing the organization

to intelligently focus resources on understanding the issues and resolving the smaller

number of incidents that demand the highest attention.

In short, automated prevention is on the critical path to actually achieving prevention.

Making better use

of existing security

data to more rapidly

and accurately detect

attacks in process can

be a force multiplier

for security budgets.

—John Pescatore,

SANS16

15 “Zero Day Discoveries a Once-a-Week Habit.” www.darkreading.com/vulnerabilities---threats/zero-day-discoveries-a-once-a-week-habit/d/d-id/1325099

16 “Hardening Retail Security,” www.sans.org/reading-room/whitepapers/analyst/hardening-retail-security-35517, p. 3.

Determining what is effective for prevention is not easy. How does one measure the

effectiveness of preventive measures? Many organizations represented in this survey

report that they are either not aware or do not know whether they have been breached.

It is entirely possible that they have been infected and the compromise is not yet

detected. The only “for sure” metric or indicator is probably whether an organization has

actually been breached—a situation we all want to avoid.

We turned to subjective measures to see whether we could tease out any metrics. As

it turns out, experience counts, both in terms of confidence and what respondents

consider the more effective controls.

Experience Counts in Confidence

Overall, most respondents (64%) are at least somewhat confident that their organization

has not been breached or isn’t experiencing a security incident, but that confidence

correlates with the experience cited by the respondents as to whether they have

experienced a breach. Those who have experienced many incidents, but no breach,

have a higher level of confidence than those who have had at least one major breach or

simply do not know. Interestingly, for those with many incidents or at least one breach,

there is no unknown in their confidence. See Figure 7.


Prevention Depends ...

Confidence vs. Breach

Figure 7. Status of Breach versus Confidence in Knowing Experience Changes the Emphasis

0% 40% 80%20% 60% 100%

Overall

None Known

At Least One Breach

Unknown

No Breach, Many Incidents

Extremely confident Confident Somewhat confident

Somewhat unconfident Extremely unconfident Unknown

Bre

ach

Tra

ck R

eco

rd

Prevention Depends ... (CONTINUED)


Experience Affects Measures Considered

Just as experience affects confidence, it also affects how respondents view the top

measures they consider preventive. Table 5 shows the top ten measures considered

preventive by those respondents who, respectively, have experienced at least one major

breach, many incidents and no breaches, and no major breach of which they are aware

(see Figure 2, noted earlier).

Measures related to application security play a consistent role across all three, as does

scenario-based risk analysis. The use of cyber threat intelligence is considered among

the top measures by those who experience either incidents or breaches.

Interestingly, cyber insurance appears as a top 10 consideration by those who have

experienced a breach, but not by others.

Table 5. Top 10 Preventive Measures by Experience

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

We have had at least one major breach.

Preventing never-before-seen vulnerability exploits on the endpoint

AppSec/DevOps plans and procedures

Scenario-based risk analysis

Identifying and automatically blocking unknown malware

Robust testing

Metrics-based evaluation and reporting


Cyber insurance

Architectural reviews of applications and systems


We have had many incidents but no major breaches.







Robust testing


Architectural reviews of infrastructure

Continuous vulnerability monitoring and assessment

We have had no major breaches that we are aware of.

Robust testing












What measures respondents considered preventive appear to be affected by what

measures they have implemented. Figure 8 compares the preventive measures

implemented versus those considered as such by respondents who had suffered at least

one major breach. Interestingly, respondents appear to consider what they have already

implemented as less preventive, possibly because of their actual experience with those

measures. This dichotomy may show how the security industry, as a whole, needs to do

better. The results raise two questions that, for this survey, remain largely unanswered:

1. Have organizations focused on the “wrong” measures for prevention to date? or, and

more likely, 2. Have organizations implemented the “correct” measures for prevention

but failed to completely commit resources to what is needed for the best return

on investment? The latter question can address anything from investment in major

prevention projects to simply providing time for current staff to properly configure (and

test!) existing automation.

Preventive Measures for Respondents with at Least One Major Breach

0% 4% 8% 10%2% 6%


Cyber insurance


Blocking known vulnerability exploits

Robust testing


Incident response







Asset management

Security policy planning and implementation

Preventing never-before-seen vulnerability exploits on the endpoints



Blocking known malware

Consider Implement

Figure 8. Preventive Measures for Respondents with at Least One Major Breach

Percentage of Respondents



Technology Implemented Versus Technology Coveted

How the technology is being deployed by respondent organizations also affects the

emphasis placed on preventive measures. How technologies are being embraced by

survey respondents is shown in Figure 9.

Comparing these technologies with the measures respondents consider preventive

yields interesting results:

• Respondents consider scenario-based risk analysis, a business measure, as a

leading preventive measure across all technologies, followed by preventing never-

before-seen vulnerability exploits on the endpoints, a technology measure.

• Respondents place a definite emphasis on development measures for mobile

and SaaS environments, as well as hybrid cloud and Internet of Things (IoT)

technologies. Overall, respondents consider AppSec/DevOps plans and procedures

as third overall as a preventive measure. This increases in importance for hybrid

cloud, where it ties for second with robust testing behind the leading measure,

scenario-based risk assessment. For IoT, respondents (albeit a much smaller

number overall) consider AppSec/DevOps plans and procedures, along with robust

testing, as the leading measures.

• Data governance of sensitive data is an important factor for public cloud

environments, echoing the general concern by security practitioners over the loss

of visibility around data in today’s mobile/cloud computing ecosystem.

What technologies is your organization embracing?

Select all that apply.

Pu

blic

Clo

ud

Pri

vate

Clo

ud

/V

irtu

aliz

ed

DC

Mo

bile Io

T

Sa

aS

BY

OD

Hyb

rid

Clo

ud

Figure 9. Technologies Being Embraced

80%

60%

40%

20%

0%



• Technology measures rate lower overall in consideration level for public and hybrid

cloud environments as well as IoT, possibly because of lack of definition and/or

control over the infrastructure related to these technologies.

• Despite ongoing concern in many industries over insider threats, due both to

negligence and malicious behavior, user awareness and training was not indicated

by most respondents as a leading contender for any technology category.

Table 6 provides the full analysis for what respondents consider most effective by the

types of technology their organization is embracing. The top three measures for each

technology are indicated as follows: Blue is selected by the highest percentage of

respondents, red by the next highest, and orange by the third highest.

Table 6. Preventive Measures Considered by Technology Embraced

AppSec/DevOpps plans and procedures



Robust testing

Security policy planning and implementation

Asset management




Incident response



Cyber insurance



Blocking known malware

Blocking known vulnerability exploits



De

ve

lop

me

nt

Op

era

tio

na

lB

usi

ne

ssTe

chn

olo

gy

BYOD

39.3%

37.5%

33.9%

37.5%

33.9%

30.4%

33.5%

33.5%

35.3%

31.3%

34.4%

36.2%

33.5%

35.0%

40.8%

29.3%

29.3%

34.2%

41.3%

Mobile

47.3%

46.0%

42.4%

46.0%

41.1%

37.5%

39.7%

42.9%

44.2%

38.8%

40.6%

41.5%

40.8%

40.3%

48.1%

35.1%

36.0%

40.4%

47.6%

SaaS

37.5%

32.6%

29.9%

36.2%

32.1%

32.6%

33.0%

33.0%

34.4%

29.9%

33.0%

31.3%

30.1%

35.0%

41.3%

29.3%

31.1%

32.0%

39.6%

Private Cloud/

Virtualized DC

37.9%

32.6%

29.5%

38.4%

32.1%

28.6%

33.0%

36.6%

36.6%

29.9%

34.4%

35.3%

33.5%

35.4%

40.8%

27.6%

27.6%

28.9%

40.0%

Public Cloud

22.8%

20.5%

19.2%

21.9%

20.5%

21.0%

23.7%

21.9%

24.1%

18.8%

19.2%

20.1%

19.4%

21.8%

24.8%

17.3%

19.6%

20.9%

25.3%

Hybrid Cloud

24.6%

20.1%

18.8%

24.6%

19.2%

17.4%

20.5%

21.4%

23.2%

18.3%

21.0%

21.0%

19.9%

20.4%

25.2%

18.2%

20.0%

19.6%

24.0%

IoT

8.9%

6.7%

5.8%

8.9%

6.3%

5.8%

6.7%

7.1%

6.3%

5.8%

7.1%

6.3%

7.8%

5.3%

8.3%

6.2%

5.3%

5.8%

8.0%

Technologies EmbracedMeasures by Category

So what are the barriers to preventive measure implementation? Figure 10 shows the

overall results for this survey.


Barriers to Prevention

For each of these areas, what is the primary reason you have been unable

to implement the controls?

No

firm

re

qu

ire

me

nts

as

to e

xact

ly

wh

at

is n

ee

de

d

Pro

pe

r sk

ill s

ets

Ava

ilab

le m

an

po

we

r

Lack

of

just

ifica

tio

n

Lack

of

ma

na

ge

me

nt

bu

y-in

Ina

bili

ty t

o s

ecu

re b

ud

ge

t

No

ab

ility

to

ma

na

ge

pro

ject

s o

r p

rog

ram

s re

late

d t

o p

reve

nti

on

Ca

nn

ot

sup

po

rt a

uto

ma

tio

n d

em

an

ds

du

e t

o in

fra

stru

ctu

re li

mit

ati

on

s

Figure 10. Barriers to Preventive Measure Implementation

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

Business Design Development Operational Technology

Barriers to Prevention (CONTINUED)


Some real trends emerge when the top four reasons in each measurement domain are

reviewed. See Table 7.

The domains of design, operations and technology all suffer from a core set of

limitations in establishing preventive measures: available manpower and proper skill

sets. Ultimately, however, these measures should help achieve a positive balance, a force

multiplier that mitigates or even eliminates these limitations. It is the transition, though,

that will most likely require that painful surge in dollars due to outsourcing during this

period and training staff resources on new and needed skills.

Table 7. Top Four Barriers by Measurement Domain

Top Reason



Lack of justification

No firm requirements as to exactly what is needed

Available manpower

No firm requirements as to exactly what is needed


Proper skill sets

Available manpower

Proper skill sets

No ability to manage projects or program related to prevention

Cannot support automation demands due to infrastructure limitations

Available manpower

Cannot support automation demands due to infrastructure limitations


Proper skill sets

Bu

sin

ess

De

sig

nO

pe

rati

on

al

Tech

no

log

y

%

29.9%

25.3%

21.5%

20.5%

19.9%

15.0%

14.3%

14.0%

30.6%

22.3%

19.7%

19.4%

18.8%

16.1%

15.7%

14.6%

Barriers to Prevention (CONTINUED)


Another critical factor also emerges that is reflected in both the technology and

operational domains—infrastructure limitations that cannot support the automation

required. In addition, operationally, the capability of managing projects or programs

related to prevention is limited. Prevention requires a strategic view, ideally starting at

the beginning of the system/software development life cycle, and dedicated resources.

Trying to timeshare this activity with an overloaded security analyst or incident team

responder is not a winning proposition.

But it is the top four barriers under the business domain that tell the story of how to

overcome these limitations. The first step is to develop firm requirements for exactly

what is needed from a functional, technical and programmatic (cost, schedule and

resources) perspective. With requirements in hand, preventive measures—procedures

and tools—can be prioritized and justified to achieve management buy-in and secure a

working budget.

Where to start to enable a culture of prevention in an organization?

The first steps are: 1. understand the decision-making process; 2. evaluate where

the gaps are related to understanding and promoting preventive measures; and 3.

determine how to measure and monitor to keep the program alive.

The Decision-Making Process

The majority of respondents (75%) report that their executive team is involved in

decision making or oversight of their organization’s security. The majority participate

in the risk management process and conduct financial oversight of technical or policy

decisions. See Figure 11.

But the concern remains—are the executives truly informed? Do they understand the

problem(s) at hand?


Moving to a Culture of Prevention

How is your executive management team involved in the decision making or oversight

of your organization’s security program? Select all that apply.

They participate in a risk management process to ensure investments are aligned to operational

priorities.

They conduct financial oversight of technical

or policy decisions.

They rely on outside consultation for review

and oversight.

Other

Figure 11. Executive Involvement in Security Decision Making

70%

60%

50%

40%

30%

20%

10%

0%

Moving to a Culture of Prevention (CONTINUED)


Figure 12 shows that the respondents act mainly as influencers (e.g., recommenders) as

well as users of technology and policy, reflecting the fact that only 36% of respondents

represented management, as shown previously in Table 2. This result supports the fact

that respondents do not share as strongly in the decision-making processes related to

security policy and purchase of technology. Only 41% are involved in security policy

decision making, and just 36% are involved in purchasing security technologies. The

role that these subject matter experts play in establishing their organization’s security

posture can affect the approach to prevention.

And this less-than-ideal role raises the second concern: Does the executive team rely

on the subject matter experts—those who really know the business—not only for

recommendations but for participation in the final decisions regarding policy and

procurement?

An effective relationship, with communication and confidence in the roles of

executive staff and security management, is the first step in achieving a program of

prevention in an organization. You don’t want to wait until the ransomware demand

is on the doorstep.

What is your role in the company’s security posture?

Select all that apply.

Oth

er

A s

ecu

rity

po

licy

infl

ue

nce

r

An

infl

ue

nce

r o

f se

curi

ty

tech

no

log

y p

urc

ha

sin

g d

eci

sio

ns

A s

ecu

rity

po

licy

de

cisi

on

ma

ker

A u

ser

of

secu

rity

te

chn

olo

gy

A b

uye

r o

f se

curi

ty t

ech

no

log

y

Figure 12. Respondent Role in Organizational Security Posture

70%

60%

50%

40%

30%

20%

10%

0%

The executive team

gets in the way of

good security. The

organization has

never been burnt,

which may explain the

problem. Ransomware

incidents may help the

situation, … but they

are still stuck on AV

[antivirus] technology

as the preventive

measure.

—SANS Survey

Interviewee



Measuring Success

Security activities in respondent organizations emphasize the operational nature of

security in an organization. Technical security teams in respondent organizations spent

the majority of their time creating new security controls (39%) or investigating alerts

and incidents (34%). Almost 44% are directly involved in detection and response, areas

where automation, those “force multiplier” tools and technologies, can be used to lower

these percentages. With more time available for prevention, SANS would expect to see

increases in “creating new security controls, including policies and procedures” and

“proactively hunting for advanced threats,” areas where human intervention is most

valuable and needed. See Figure 13.

Where does your technical security team focus

or spend the majority of its time?

Figure 13. Where the Technical Team Spends Its Time

Creating new security controls, including policies or procedures

Investigating alerts and incidents

Proactively hunting for advanced attacks

Analyzing potential breaches after they occur

Performing forensic analysis

Other

Prioritizing events for additional analysis



When measuring the efficacy of their security investments, respondents place

more emphasis on the technical artifacts that report on immediate success. To look

strategically at prevention, emphasis needs also to be placed on factors such as

configuration of critical information assets or how security relates as a percentage of the

company IT budget or overall revenue. See Figure 14.

Developing good metrics to determine the efficacy of security investments that

support prevention is a key aspect to the decision-making process. Figure 14 indicates

an inherent barrier to prevention that was not explicitly asked of respondents. True

prevention depends on continuous, objective monitoring and assessment—the first

and third factors in the figure above. These are the areas where an organization should

measure its investment in prevention. Prevention cannot depend on compliance

artifacts that are non-continuous, inherently reactive and potentially biased by the

nature of the audit in what they reveal.

This ties directly back to the earlier discussion on metrics-based evaluation and

reporting and its importance to an enterprise strategy for prevention.

How do you measure the efficacy of your security investments?

Tre

nd

s in

th

e n

um

be

r o

f a

lert

s th

at

resu

lt in

in

cid

en

ts a

nd

/or

bre

ach

es

Nu

mb

er

of

issu

es

ide

ntifi

ed

by

IT s

ecu

rity

as

con

tro

l we

ak

ne

sse

s

Se

curi

ty c

ost

as

a p

erc

en

tag

e o

f to

tal

com

pa

ny

reve

nu

e

Ou

tpu

t fr

om

re

gu

lar

ass

ess

me

nts

(e

.g.,

vu

lne

rab

ility

ass

ess

me

nt,

pe

ne

tra

tio

n t

est

ing

)

Tim

e t

o d

ete

ct a

s it

aff

ect

s ti

me

to

re

me

dia

te

Co

mp

lian

ce o

r o

the

r ty

pe

s o

f a

ud

it fi

nd

ing

s p

erf

orm

ed

by

thir

d p

art

ies

Oth

er

Co

mp

lian

ce o

r o

the

r ty

pe

s o

f a

ud

it fi

nd

ing

s p

erf

orm

ed

by

inte

rna

l re

sou

rce

s

Pe

rce

nta

ge

of

crit

ica

l in

form

ati

on

ass

ets

in

co

mp

lian

ce w

ith

ap

pro

ved

sys

tem

a

rch

ite

ctu

re

Nu

mb

er

of

thre

ats

pro

act

ive

ly id

en

tifi

ed

an

d

elim

ina

ted

qu

art

erl

y o

r a

nn

ua

lly

Figure 14. Efficacy Factors Used by Respondents

60%

50%

40%

30%

20%

10%

0%

Measurement is an

essential component of

any successful security

program.

To support good

decision-making, you

must be able to assess

your current state, and

also have a way to

measure and report on

progress.

—A Measurement

Companion to the

CIS Critical Security

Controls17

17 “A Measurement Companion to the CIS Critical Security Controls,” www.cisecurity.org/critical-controls.cfm, p. 3. Registration may be required.

Prevention is not necessarily a new concept, but it requires organizations to first think

strategically about what will happen if they are breached and, from this analysis,

operationalize an overall strategy that avoids the problems, preventing the attack or

mitigating the incident before it escalates into a breach.

Our results show that what respondents have implemented as preventive measures

is not necessarily what they consider preventive. For example, more than 50% of

respondents consider the business measures SANS identified in this survey as important,

yet fewer than half have implemented them. Similar patterns emerge for the other

categories of design and development, operational and technology measures. This trend

is also illustrated in Figure 8, where it appears that more respondents who had at least

one major breach consider those measures they haven’t necessarily implemented to be

more preventive than the measures they have implemented.

This trend speaks strongly to a dependence on experience and, indeed, the survey

results show that experience counts—those respondents who have experienced

many incidents but no breach cite an overall higher level of confidence than those

who have had at least one major breach. Experience, together with the technology

being implemented, influences the choice of what measures respondents consider

the most preventive.

What barriers have stopped respondents from implementing preventive measures? The

domains of design, operations and technology all suffer from a core set of limitations

in establishing preventive measures: available staff and proper skill sets. Ultimately,

however, the real barriers are related to the business domain.

To develop a proactive culture of prevention, the organization must understand what

the potential measures might be, what they relate to (e.g., company business and

mission), and how they are influenced by factors such as whether the organization has

been breached or any specific technology it is deploying.

Next, an understanding of the decision-making process used in the organization is

needed. After the lines of communication are established, the organization needs

to determine how best to report the required information to keep the program alive

and the executives aware of how the preventive measures are working to keep the

organization as safe as possible.

Finally, formalizing the requirements development process should be emphasized so

that it is the starting point from which timely justifications for policy, process and tools

to implement a culture of prevention can be created.


Conclusion

Barbara Filkins, a senior SANS analyst who holds the CISSP and SANS GSEC (Gold), GCIH (Gold),

GSLC (Gold), GCCC (Gold) and GCPM (Silver) certifications, has done extensive work in system

procurement, vendor selection and vendor negotiations as a systems engineering and infrastructure

design consultant. She is deeply involved with HIPAA security issues in the health and human services

industry, with clients ranging from federal agencies (Department of Defense and Department of

Veterans Affairs) to municipalities and commercial businesses. Barbara focuses on issues related to

automation—privacy, identity theft and exposure to fraud, as well as the legal aspects of enforcing

information security in today’s mobile and cloud environments.

John Pescatore (Advisor) joined SANS as director of emerging technologies in January 2013 after

more than 13 years as lead security analyst for Gartner, 11 years with GTE, and service with both the

National Security Administration, where he designed secure voice systems, and the U.S. Secret Service,

where he developed secure communications and voice systems “and the occasional ballistic armor

installation.” John has testified before Congress about cyber security, was named one of the 15 most-

influential people in security in 2008 and remains an NSA-certified cryptologic engineer.


About the Authoring Team

Sponsor

SANS would like to thank this survey’s sponsor:

Documents

Data Breaches: Is Prevention Practical?€¦ · 2 Data Breaches: Is Prevention Practical? SANS conducted this survey to explore how organizations are handling prevention. Breaking