Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
A SANS Survey
Written by Barbara Filkins
Advisor: John Pescatore
September 2016
Sponsored by
Palo Alto Networks
Data Breaches: Is Prevention Practical?
©2016 SANS™ Institute
Data breaches are on the rise. The number of breach notifications issued by the New York
State Attorney General’s office, for example, has risen 40% during 2016 compared with
the same period a year earlier.1
Data breaches are only the tip of the cyber iceberg, however. We trust in and depend on
our digital environment, making us all more vulnerable than we might care to consider.
In June 2016, New York Magazine painted a fictional scenario in which a group of
European hackers effectively shut down New York City, reminding us that perhaps our
entire modern way of life is at stake. The events described in the story—a “connected”
car commandeered, access to online medical records blocked, a police dispatch center
rendered inaccessible, drinking water tainted with an uncontrolled release of chlorine—
were basically benign, but highly disruptive, especially when they cascaded. The article
was developed based on various hacks that had been executed before and, taken
together, present an “open-source blueprint available to anyone with an interest in
remote-control terrorism (and the time and manpower it requires).”2
The NYC scenario also assumes that “the average data breach is only identified five
months later,”3 a lag that can increase the cost of a breach astronomically. According
to the 2016 Verizon Data Breach Investigations Report (DBIR),4 organizations struggle
with an increased “detection deficit” (the time between detection and compromise) that
results in their failing to detect breaches before it’s too late. Sadly, the first indication of
trouble may be a notification from a customer or other third parties.
Businesses must still focus their limited security resources on the important tasks of daily
operations, incident response and remediation, but given current trends, prevention
must take on new urgency. How can organizations detect more rapidly or even prevent
incidents that could result in a breach? How can organizations build an effective security
program around prevention?
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?1
Executive Summary
1 http://blogs.wsj.com/cio/2016/05/05/data-breaches-rise-while-companies-struggle-to-detect-them/
2 , 3 http://nymag.com/daily/intelligencer/2016/06/the-hack-that-could-take-down-nyc.html
4 www.verizonenterprise.com/verizon-insights-lab/dbir/2016/?utm_source=pr&utm_medium=pr&utm_campaign=dbir2016
Executive Summary (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?2
SANS conducted this survey to explore how organizations are handling prevention.
Breaking down possible preventive measures into four major categories or domains
(business, architectural design and development, operational, and technology), the
survey sought to answer three major questions:
1. What measures have respondents implemented that they believe
will prevent breaches?
2. What measures not necessarily implemented do respondents
consider preventive?
3. What barriers have stopped respondents from doing what they
should be doing?
What was notable is that overall results show striking
inconsistencies between what measures respondents
consider preventive compared with what they have
implemented as preventive, raising some key questions.
(See sidebar.) The minority (i.e., less than 40%) of
respondents have implemented business measures that
the majority (i.e., more than 50%) consider preventive.
Similarly, most respondents consider robust testing and
development plans and procedures as preventive, but
only half have implemented these architectural measures.
Operational measures considered preventive trail those
implemented, the exception being newer approaches
such as cyber threat intelligence and data governance.
Apparently, respondent experience with a measure shows
a certain disenchantment with a measure’s ability to
prevent. SANS can only speculate why because this survey was not designed to uncover
specific underlying causes. However, two possible factors come to mind.
First, given today’s rapidly evolving threat landscape, prevention requires measures
beyond more traditional methods, such as signature-based detection, to prevent attacks
or breaches. Although more than 80% of respondents have implemented technology
that blocks known malware and vulnerability exploits, slightly less than 50% consider
these technical measures effective.
How do you manage what you cannot measure? Nearly 60%
consider metrics-based evaluation and reporting preventive,
but less than 40% have implemented it.
How can advanced technology help deal with the unknown
unknowns? While 85% implement technical measures to block
known malware as preventive, less than 40% consider these
measures to actually be preventive.
How can you tell if you are secure? 63% consider robust testing
as preventive, but only 39% have implemented it.
Should the emphasis be on compliance (posters in the
lunchroom, for example) or prevention (active phishing testing)
to reduce user errors? 67% implement user awareness and
training as preventive, but only 56% consider it preventive.
Executive Summary (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?3
Second, organizations must invest more fully in what they have, in terms of both staff
and technology. Available staff and the inability to secure budgets and proper skill sets
lead as barriers to implementing preventive measures, with another potentially critical
factor also emerging: infrastructure limitations that cannot support the automation
required or (possibly) already acquired.
Together, these factors point toward the improved use of automation, the force
multiplier that can augment the security workforce faced with an increasing volume of
attacks, continually putting defenders on the “losing side” in the cyber battle. Preventing,
not just detecting and responding to, incidents and attacks before either causes
harm allows an organization to focus valuable and limited resources on the small
number of truly targeted attacks that require human intervention.
Implementing effective prevention practices requires understanding the
executive decision-making processes that can affect the security posture of
an organization. The top four barriers identified under the business domain
(see sidebar) highlight the basic approach to overcoming these limitations.
First, develop firm requirements to meet the needs from functional,
technical and programmatic (cost, schedule and resources) perspectives.
Next, with requirements in hand, prioritize and justify the preventive
measures—procedures and tools—to achieve management buy-in and
secure a working budget.
In general, all businesses prioritize methods to avoid problems and mistakes.
They also maintain reactive response measures for the time when something
does go wrong. However, organizations can learn about cyber prevention from
industries such as aviation and medicine that must prioritize prevention to avoid
safety issues and preclude bad outcomes. These industries invest in prevention from
both a clear, long-range strategic vision and short-term operational strategies based on
specific, consistent best practices ideally assisted by automation. Organizations need
to embrace cyber prevention in the same way—before the hypothetical New York City
scenario becomes a reality.
Inability to secure budget
No firm requirements as to what
exactly is needed
Lack of management buy-in
Lack of justification
Top Four Business Barriers
to Prevention
25%
30%
22%
21%
The Challenge
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?4
While many organizations remain overwhelmed by responding to security incidents,
some have been effective in preventing at least some potential breaches—and many
would like to be more proactive.
In a December 2015 paper, SANS outlined the concept of a “breach cycle,” where a
breach is defined as “any impermissible acquisition, access or disclosure of sensitive
information.” Table 1 provides an initial segmentation of the activities associated with
each era in the cycle. Previous SANS surveys have evaluated what happens during an
attack or compromise5 and the impact after a breach.6 In this study, SANS explores
what measures could be applied in the pre-breach era to prevent a breach from actually
occurring.
SANS conducted a 23-question survey to answer three major questions:
1. What measures have respondents implemented that they believe will
prevent breaches?
2. What measures not necessarily implemented do respondents
consider preventive?
3. What barriers have stopped respondents from doing what they
should be doing?
For this survey, preventive
measures are defined as
those related to “anticipating
concerns that could lead to a
breach.”
Pre-Breach Era (All Incidents)
Incident Handling Steps:
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons learned
Breach Era (Incident as Breach to Near-Term
Remediation Complete)
Determination of Incident as a Breach:
• Root-cause determination
- Forensics
• Near-term remediation
- Data recovery
Post-Breach Era (Near-Term Remediation to ?)
Long-Term Recovery:
• Legal
• Additional controls
• Customer or client support
• Reputation or brand protection and recovery
Table 1. Events in the Breach Cycle7
5 “Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey,” www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047
6, 7 “Cleaning Up After a Breach,” www.sans.org/reading-room/whitepapers/analyst/cleaning-breach-post-breach-impact-cost-compendium-36517
The Challenge (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?5
Prevention involves all roles and titles in an organization, as evidenced by 319
practitioners involved in breach response activities and in quantifying losses from the
breach of their organizations’ sensitive information.8 Security and IT staff were equally
represented (46% for both) in the respondent population. Security management was
represented by 20% of the respondents, including senior management roles such as CSO
and CISOs. IT management accounted for 16% of the total respondents. See Table 2 for
all respondent roles that completed the survey.
Table 2. Respondent Roles9
Category
IT Admin/Analyst
Security Admin/Analyst
Security Management
IT Management
Other
Senior Security Management
Compliance/Risk/Audit
IT Senior Management
Titles Included
System and network operations, developer
Managers, security architect
CEO/CFO/COO, business managers
CSO/CISO/VP of security
VP audit and privacy officer
CIO/CTO/VP of technology
%
30.5%
26.4%
15.3%
14.4%
4.7%
4.4%
3.1%
1.3%
8 Survey results were augmented by five in-depth telephone interviews with practitioners across the United States in a variety of industries.
9 Percentages add up to more than 100% due to rounding.
The Challenge (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?6
Figure 1 shows the distribution of respondents in terms of their organization’s industry,
size and net worth.
Banking and finance has the greatest representation at 15%, followed by education
(12%), government and healthcare (each 10%) and technology (9%). The majority of
organizations (78%) have workforces of 10,000 or less, and 22% have workforces larger
than 10,000. As far as net worth, 52% indicate revenues of $1 million to $999 million,
with 27% worth more than $1 billion and the remaining 22% worth less than $1 million.
Most respondent organizations were headquartered or had operations in the U.S.
(77%), but respondent organizations with operations in Europe (30%) and Asia (26%)
were also represented.
What is your organization’s revenue
or annual budget?
0% 20% 40%10% 30% 50%
Less than $1K
$100K to $999K
$1B–$2B
$5B–$7B
$1K to $99K
$1M to $999M
$3B–$4B
More than $7B
Oth
er
Go
vern
me
nt
Ba
nk
ing
an
d
fin
an
ce
Ma
nu
fact
uri
ng
Re
tail
He
alt
hca
re
Ed
uca
tio
n
Cyb
er
secu
rity
No
np
rofi
t/A
sso
cia
tio
n
Tech
no
log
y
16%
12%
8%
4%
0%
What is your organization’s primary industry?
Figure 1. Respondents’ Industry, Workforce Size and Net Worth
10
,00
1–
15
,00
0
1,0
01
–2
,00
0
Few
er
tha
n 1
00
15
,00
1–
50
,00
0
Mo
re t
ha
n 1
00
,00
0
2,0
01
–5
,00
0
10
1–
1,0
00
50
,00
1–
10
0,0
00
5,0
01
–1
0,0
00
30%
20%
10%
0%
What is the size of the workforce at your organization,
including employees, contractors and consultants?
The Challenge (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?7
The Respondent Breach Landscape
For this survey, breach is defined as “any impermissible acquisition, access or disclosure
of sensitive information.” Our respondents reported a variety of experience with
breaches according to this definition. Only 13% of survey respondents suffered at least
one major breach. Another 26% of respondents have had many incidents but no major
breaches (See Figure 2.)
The majority of respondents (61%) were either not aware of a major breach or did not
know. This result may be influenced by respondents who wish to avoid the stigma of
disclosure, yet this number is still alarming. Effective prevention starts with knowing the
possible vulnerabilities and exposures as well as investigation of possible incidents. The
percentage of self-attested breaches actually may be higher than 13%.
For those respondents who have suffered a major breach, known and unknown malware
or vulnerability exploits were the leading causes, leading to an observation that these
breaches may have been preventable with the proper tools for detection and blocking
of these attacks. (See Table 3.)
What has been your organization’s track record on breaches?
Figure 2. Respondent Track Record on Breaches and Incidents
We have had at least one major breach.
We have had many incidents but no major breaches.
We have had no major breaches that we are aware of.
Unknown/No input
Table 3. Respondent Breach Characteristics
Impact of Breach
Loss of intellectual property or personally identifiable information
Financial loss
Reputation/Brand loss
Regulatory/Compliance consequences
Method of Attack
Exploiting known vulnerabilities or delivering known malware
Exploiting unknown vulnerability or delivering previously unknown malware
Insider action with privileged access
Negligence
30.6%
19.4%
19.4%
16.7%
59.4%
27.0%
24.3%
24.3%
SANS first examined the preventive measures that respondents implemented,
comparing them with the measures respondents feel should be preventive but have not
necessarily implemented.
Business Measures
SANS selected the following business measures to evaluate:
• Metrics-based evaluation and reporting as a measure to provide visibility into
organizational security posture
• Scenario-based risk analysis to evaluate the organization’s risk profile
• Use of cyber insurance as a method for risk management (i.e., to transfer risk)
More than 50% of respondents consider the selected business measures
important to prevention, yet fewer than half have implemented them, whether
through procedures or automation. See Figure 3.
This discrepancy is especially surprising when it comes to the reporting measures.
Respondents realize that one cannot truly manage what one cannot measure—or
at least have visibility into the process. The need for and the absence of metrics is a
common theme across other SANS surveys as well. Defining, collecting and correctly
interpreting viable metrics, however, are not easy exercises, possibly accounting for the
inconsistency seen here. Prevention by its very nature will lack those more definitive
events, such as the time measured from discovery to remediation, which establish
quantifiable measures for incident response reporting and evaluation.
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?8
Measures for Prevention
The Four Domains of Measures
for Prevention
• Business measures are those tied to the
mission of an organization, providing
visibility into its security posture and its
approach to risk analysis and management.
• Architectural design and development
measures encompass establishment
of requirements, evaluation of design,
approaches to development and a robust
approach to testing.
• Operational measures can proactively
protect the critical assets of an organization.
These measures depend on a mix of
procedures and automation.
• Technology measures are those tools
that can identify and prevent known
and unknown threats (malware) and
vulnerability exploits.
What business measures do you consider preventive?
What business measures have you implemented?
Metrics-based evaluation and
reporting
Cyber insuranceScenario-based risk analysis
Other
Figure 3. Preventive Business Measures–Considered and Implemented
80%
70%
60%
50%
40%
30%
20%
10%
0%
Consider Implemented Procedures/Automated
Measures for Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?9
A similar observation can be made about the discrepancy in results for scenario-based
risk analysis. According to a December 2015 SANS survey on post-breach impacts,
“knowing where sensitive data is, what regulations apply, what systems and applications
this data resides in, who should and should not have access, and monitoring
sensitive data goes a long way toward preventing such breaches in the first place.”10
Scenario-based risk analysis can be an effective approach to first identifying potential
vulnerabilities related to given situations and then analyzing the potential consequences
through the use of effective solutions, built on procedures as well as automation.
The depth and the detail needed to make truly effective use of this measure can be
daunting. A scenario should also take into account the possible financial impact of the
hypothetical but potential breach. Together with test results from exercising the current
security controls, this information can result in the cost-benefit analysis needed to
establish a solid justification for new or improved preventive measures.
The fact that more than 50% of respondents consider cyber insurance a preventive
measure is also notable. In general, cyber insurance in and of itself may not be thought
of as a preventive measure, but the consideration of cyber insurance definitely
influences the preventive space because of its effect on the security hygiene of an
organization prior to securing coverage. Security brokerages and underwriters also
provide cost-effective cyber services to support organizations with both pre-breach
mitigation and post-breach remediation services.
There are lots of things
that can be measured,
but it is very unclear
which of them are in
fact worth measuring
(in terms of adding
value to security
decisions).
And since there are
very few “absolutes”
in security, there is
always the challenge
of making a
judgment about the
measurement value
that is “good enough”
in terms of
managing risk.
—A Measurement
Companion to the CIS Critical
Security Controls11
10 “Cleaning Up After a Breach,” www.sans.org/reading-room/whitepapers/analyst/cleaning-breach-post-breach-impact-cost-compendium-36517, p. 14
11 “A Measurement Companion to the CIS Critical Security Controls,” www.cisecurity.org/critical-controls.cfm, p. 3. Registration may be required.
Measures for Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?10
Design and Development Measures
Design and development is where prevention should start to avoid fielding a potentially
vulnerable application or insecure infrastructure modification. These measures apply
throughout the system life cycle—not just at the start, but at anytime a major change
occurs that affects an application or the production environment.
SANS selected the following design and development measures to evaluate:
• Security policy and planning implementation supporting the establishment
of related requirements for infrastructure and application design, supporting
infrastructure needs, and operational procedures
• Architectural review of infrastructure, applications and systems, allowing
evaluation of potential vulnerabilities and related threats at strategic points in the
system life cycle
• AppSec/DevOps plans and procedures establishing best practices for secure
coding and integration into the larger production environment(s) of an
organization
• Robust testing procedures that help establish and maintain a secure configuration
baseline throughout the system life cycle
Survey results indicate that, although the majority of respondents (71%) practice initial
security policy planning and implementation, a large portion (46%) do not consider
policy planning and implementation to be a preventive measure. Results show that
organizations would be wise to consider improving their approach to robust testing and
AppSec/DevOps plans and procedures to increase their breach prevention capability.
See Figure 4.
Organizations realize
that application
security (AppSec) is
key to protecting their
data and the IT assets
that contain it. At the
heart of developing
and maintaining
AppSec is the ability
to continually assess
the security of an
application throughout
its life cycle, taking
into account the
environment into
which it is placed, how
users interact with it,
and how it interacts
with other systems and
applications.
—Assessing Application
Security: A Buyer’s Guide,
SANS, May 2016 12
12 “Assessing Application Security: A Buyer’s Guide,” www.sans.org/reading-room/whitepapers/analyst/assessing-application-security-buyers-guide-37000, p. 1.
Measures for Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?11
One respondent also touched on a key element in an open-ended response to “other”—
change control, an issue that will be addressed under “Operational Measures.”
More respondents conduct architectural reviews of the infrastructure (63%) than
application and systems (54%), although they consider that the latter may be
slightly more critical (58% as opposed to 53%) to prevention. The overall security
of an application or system depends on how it functions within its environment—
as this survey shows later, the supporting infrastructure can be a barrier to proper
implementation of preventive measures.
Prevention should start with an architectural review that considers security across all
phases of the system or software life cycle—requirements, trusted software, interfaces
and integration into the production environment. The review process should also
incorporate risk analysis and threat modeling to establish possible adverse scenarios
and related test requirements. Testing should incorporate these negative scenarios to
identify exploitable weaknesses and mitigate potential threats.
Robust testing is hard. Organizations continually fail to test properly for a wide variety
What design or development measures do you consider preventive?
What measures have you implemented?
Oth
er
Arc
hit
ect
ura
l re
vie
ws
of
ap
plic
ati
on
s a
nd
sys
tem
s
Se
curi
ty p
olic
y p
lan
nin
g
an
d im
ple
me
nta
tio
n
Ro
bu
st t
est
ing
Arc
hit
ect
ura
l re
vie
ws
of
infr
ast
ruct
ure
Ap
pS
ec/
De
vO
ps
pla
ns
an
d p
roce
du
res
Figure 4. Development Measures—Considered and Implemented
80%
60%
40%
20%
0%
Consider Implemented Procedures/Automated
Measures for Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?12
of reasons: lack of expertise to determine test requirements, design the process, and
analyze results; tools that are difficult to use; and budget and schedule constraints.
Another common problem is the lack of an appropriate test environment that simulates
production conditions, especially those that can affect the security of the platform under
test. In March 2015, thousands of students could not log into a Florida state exam when
the exam supplier American Institutes for Research failed to load test the platform for
multiple simultaneous logins.13
Operational Measures
Operationally, respondents appear to have implemented measures they are not
totally convinced are preventive. For example, user awareness and training has been
implemented as a preventive measure by 67%, yet only 58% consider it as such. Similarly,
59% have implemented asset management, and only 51% consider it a preventive
measure. Respondents are also looking to newer techniques and technologies, such
as cyber threat intelligence and data governance of sensitive data, as measures for
prevention, even though implementation still lags. See Figure 5.
What operational measures do you consider preventive?
What operational measures have you implemented?
Use
of
cyb
er
thre
at
inte
llig
en
ce
Oth
er
Inci
de
nt
resp
on
se
Use
r aw
are
ne
ss a
nd
tr
ain
ing
Ass
et
ma
na
ge
me
nt
Co
nti
nu
ou
s v
uln
era
bili
ty
mo
nit
ori
ng
an
d a
sse
ssm
en
t
Co
nfi
gu
rati
on
co
ntr
ol a
nd
m
an
ag
em
en
t
Da
ta g
ove
rna
nce
aro
un
d
sen
siti
ve d
ata
Figure 5. Operational Measures—Considered and Implemented
80%
60%
40%
20%
0%
Consider Implemented Procedures/Automated
13 www.linkedin.com/pulse/load-testing-failures-disrupt-state-exams-richard-akrofi
Measures for Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?13
These results again raise the question of why organizations are not implementing what
they believe to be the most preventive measures. What are the issues impeding the
effectiveness of the measures most respondents consider preventive? One possible
explanation may be that, operationally, organizations focus too much on these measures
for compliance reasons rather than the outcomes needed for actual prevention
or business improvement. User awareness and training is a good example.
Various methods of phishing continue to be the primary vector for malware
attacks. Posters in the lunchroom or quarterly newsletters prevent nothing but
demonstrate compliance; active phishing testing, on the other hand, is a proven
technique to reduce successful phishing incidents.
Here is where utilization of the CIS Critical Security Controls can support better
breach prevention. The CIS Controls families are “recognized as a relatively
small number of prioritized, well-vetted and supported security actions,” and
the first five CIS Controls families are considered as first steps to be taken by an
organization in establishing an effective security posture.14
Respondents’ emphasis on the operational measures does not align with the best
practices as reflected in the prioritization of the CIS Controls. Most respondents
have implemented user training and awareness (67%), followed by continuous
vulnerability monitoring and assessment (65%), and incident response (63%). The
leading “foundational cyber hygiene” controls—asset management and configuration
control—are both lower than 60%. In fact, asset management trails all other measures in
respondent consideration as a preventive measure. See Table 4.
Table 4. Operational Preventive Measure Ranking Versus CIS Controls
CIS Control
1
3
4
8
13
17
19
Measure
Asset management
Configuration control and management
Continuous vulnerability monitoring and remediation
Use of cyber threat intelligence
Data governance around sensitive data
User awareness and training
Incident response
Consider Implement
%
50.9%
54.9%
56.3%
56.7%
59.8%
57.6%
52.2%
%
59.4%
58.5%
64.7%
50.0%
47.3%
67.4%
63.4%
Rank
7
5
4
3
1
2
6
Rank
4
5
2
6
7
1
3
14 “The CIS Critical Security Controls for Effective Cyber Defense,” www.cisecurity.org/critical-controls.cfm, p. 3.
Top Five CIS Critical Security
Control Families
CSC 1: Inventory of Authorized and
Unauthorized Devices
CSC 2: Inventory of Authorized and
Unauthorized Software
CSC 3: Secure Configurations for Hardware
and Software on Mobile Devices,
Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment
and Remediation
CSC 5: Controlled Use of Administrative
Privileges
Measures for Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?14
Without effective asset and configuration management procedures and tools, an
organization may lack the foundation needed to protect its infrastructure, its critical
applications and systems, and its data with other measures such as continuous
monitoring and assessment.
Technology Measures
Respondents focus on blocking known malware (85%) and vulnerability exploits (81%)
for the preventive technology measures they have implemented. Respondents consider
that identifying and automatically blocking unknown malware (53%) and preventing
never-before-seen vulnerabilities (67%) are the leading preventive measures. See
Figure 6.
Figure 6. Technology Measures—Considered and Implemented
What technology measures do you consider preventive?
What technology measures have you implemented?
Oth
er
Ide
nti
fyin
g a
nd
a
uto
ma
tica
lly b
lock
ing
u
nk
no
wn
ma
lwa
re
Blo
ckin
g k
no
wn
ma
lwa
re
Pre
ven
tin
g n
eve
r-b
efo
re-
see
n v
uln
era
bili
ty e
xplo
its
on
th
e e
nd
po
int
Blo
ckin
g k
no
wn
v
uln
era
bili
ty e
xplo
its
No
ne
, on
ly m
on
ito
rin
g
ale
rts,
no
t b
lock
ing
Figure 6. Technology Measures—Considered and Implemented
80%
60%
40%
20%
0%
Consider Implemented Procedures/Automated
Measures for Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?15
Respondents realize that identifying and blocking the “known knowns” are not sufficient
in the modern threat landscape, where cyber attacks are constantly evolving. According
to Dark Reading, “new zero-day vulnerability discoveries jumped by 125% in 2015, with
effectively a new zero-day exploit uncovered weekly, even as the total number of new
vulnerabilities reported and patched actually decreased by 15% compared with the
previous year.”15 Prevention requires technology, such as network-based anti-malware
tools, that can go beyond signature-based detection to identify, filter out or otherwise
cripple malicious code or content before it arrives at an endpoint it can compromise.
The expanse of data being collected and analyzed for both prevention and detection
also demands a “force multiplier” to enhance the productivity of skilled staff that is in
demand but in limited supply. Maintaining an effective organizational security posture
requires that visibility and management go hand-in-hand—you can’t manage what you
can’t measure.
Many of the preventive measures previously highlighted—metrics-based evaluation and
reporting, continuous vulnerability monitoring and assessment, asset and configuration
management—require automation to achieve the desired outcomes and benefit the
business.
Proper security instrumentation across all layers in the computing continuum—network,
systems, endpoints, apps—delivers the event indicators that allow visibility. Use of
background processing with advanced techniques (e.g., machine learning) and cyber
threat intelligence sources reduce the load on human analysts, allowing the organization
to intelligently focus resources on understanding the issues and resolving the smaller
number of incidents that demand the highest attention.
In short, automated prevention is on the critical path to actually achieving prevention.
Making better use
of existing security
data to more rapidly
and accurately detect
attacks in process can
be a force multiplier
for security budgets.
—John Pescatore,
SANS16
15 “Zero Day Discoveries a Once-a-Week Habit.” www.darkreading.com/vulnerabilities---threats/zero-day-discoveries-a-once-a-week-habit/d/d-id/1325099
16 “Hardening Retail Security,” www.sans.org/reading-room/whitepapers/analyst/hardening-retail-security-35517, p. 3.
Determining what is effective for prevention is not easy. How does one measure the
effectiveness of preventive measures? Many organizations represented in this survey
report that they are either not aware or do not know whether they have been breached.
It is entirely possible that they have been infected and the compromise is not yet
detected. The only “for sure” metric or indicator is probably whether an organization has
actually been breached—a situation we all want to avoid.
We turned to subjective measures to see whether we could tease out any metrics. As
it turns out, experience counts, both in terms of confidence and what respondents
consider the more effective controls.
Experience Counts in Confidence
Overall, most respondents (64%) are at least somewhat confident that their organization
has not been breached or isn’t experiencing a security incident, but that confidence
correlates with the experience cited by the respondents as to whether they have
experienced a breach. Those who have experienced many incidents, but no breach,
have a higher level of confidence than those who have had at least one major breach or
simply do not know. Interestingly, for those with many incidents or at least one breach,
there is no unknown in their confidence. See Figure 7.
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?16
Prevention Depends ...
Confidence vs. Breach
Figure 7. Status of Breach versus Confidence in Knowing Experience Changes the Emphasis
0% 40% 80%20% 60% 100%
Overall
None Known
At Least One Breach
Unknown
No Breach, Many Incidents
Extremely confident Confident Somewhat confident
Somewhat unconfident Extremely unconfident Unknown
Bre
ach
Tra
ck R
eco
rd
Prevention Depends ... (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?17
Experience Affects Measures Considered
Just as experience affects confidence, it also affects how respondents view the top
measures they consider preventive. Table 5 shows the top ten measures considered
preventive by those respondents who, respectively, have experienced at least one major
breach, many incidents and no breaches, and no major breach of which they are aware
(see Figure 2, noted earlier).
Measures related to application security play a consistent role across all three, as does
scenario-based risk analysis. The use of cyber threat intelligence is considered among
the top measures by those who experience either incidents or breaches.
Interestingly, cyber insurance appears as a top 10 consideration by those who have
experienced a breach, but not by others.
Table 5. Top 10 Preventive Measures by Experience
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
We have had at least one major breach.
Preventing never-before-seen vulnerability exploits on the endpoint
AppSec/DevOps plans and procedures
Scenario-based risk analysis
Identifying and automatically blocking unknown malware
Robust testing
Metrics-based evaluation and reporting
Use of cyber threat intelligence
Cyber insurance
Architectural reviews of applications and systems
Configuration control and management
We have had many incidents but no major breaches.
Preventing never-before-seen vulnerability exploits on the endpoint
AppSec/DevOps plans and procedures
Architectural reviews of applications and systems
Use of cyber threat intelligence
Data governance around sensitive data
Scenario-based risk analysis
Robust testing
Metrics-based evaluation and reporting
Architectural reviews of infrastructure
Continuous vulnerability monitoring and assessment
We have had no major breaches that we are aware of.
Robust testing
AppSec/DevOps plans and procedures
Data governance around sensitive data
Configuration control and management
Scenario-based risk analysis
Preventing never-before-seen vulnerability exploits on the endpoint
Continuous vulnerability monitoring and assessment
User awareness and training
Architectural reviews of applications and systems
Use of cyber threat intelligence
Prevention Depends ... (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?18
What measures respondents considered preventive appear to be affected by what
measures they have implemented. Figure 8 compares the preventive measures
implemented versus those considered as such by respondents who had suffered at least
one major breach. Interestingly, respondents appear to consider what they have already
implemented as less preventive, possibly because of their actual experience with those
measures. This dichotomy may show how the security industry, as a whole, needs to do
better. The results raise two questions that, for this survey, remain largely unanswered:
1. Have organizations focused on the “wrong” measures for prevention to date? or, and
more likely, 2. Have organizations implemented the “correct” measures for prevention
but failed to completely commit resources to what is needed for the best return
on investment? The latter question can address anything from investment in major
prevention projects to simply providing time for current staff to properly configure (and
test!) existing automation.
Preventive Measures for Respondents with at Least One Major Breach
0% 4% 8% 10%2% 6%
Metrics-based evaluation and reporting
Cyber insurance
Data governance around sensitive data
Blocking known vulnerability exploits
Robust testing
Architectural reviews of applications and systems
Incident response
Continuous vulnerability monitoring and assessment
Scenario-based risk analysis
Use of cyber threat intelligence
Architectural reviews of infrastructure
AppSec/DevOps plans and procedures
Identifying and automatically blocking unknown malware
Asset management
Security policy planning and implementation
Preventing never-before-seen vulnerability exploits on the endpoints
Configuration control and management
User awareness and training
Blocking known malware
Consider Implement
Figure 8. Preventive Measures for Respondents with at Least One Major Breach
Percentage of Respondents
Prevention Depends ... (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?19
Technology Implemented Versus Technology Coveted
How the technology is being deployed by respondent organizations also affects the
emphasis placed on preventive measures. How technologies are being embraced by
survey respondents is shown in Figure 9.
Comparing these technologies with the measures respondents consider preventive
yields interesting results:
• Respondents consider scenario-based risk analysis, a business measure, as a
leading preventive measure across all technologies, followed by preventing never-
before-seen vulnerability exploits on the endpoints, a technology measure.
• Respondents place a definite emphasis on development measures for mobile
and SaaS environments, as well as hybrid cloud and Internet of Things (IoT)
technologies. Overall, respondents consider AppSec/DevOps plans and procedures
as third overall as a preventive measure. This increases in importance for hybrid
cloud, where it ties for second with robust testing behind the leading measure,
scenario-based risk assessment. For IoT, respondents (albeit a much smaller
number overall) consider AppSec/DevOps plans and procedures, along with robust
testing, as the leading measures.
• Data governance of sensitive data is an important factor for public cloud
environments, echoing the general concern by security practitioners over the loss
of visibility around data in today’s mobile/cloud computing ecosystem.
What technologies is your organization embracing?
Select all that apply.
Pu
blic
Clo
ud
Pri
vate
Clo
ud
/V
irtu
aliz
ed
DC
Mo
bile Io
T
Sa
aS
BY
OD
Hyb
rid
Clo
ud
Figure 9. Technologies Being Embraced
80%
60%
40%
20%
0%
Prevention Depends ... (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?20
• Technology measures rate lower overall in consideration level for public and hybrid
cloud environments as well as IoT, possibly because of lack of definition and/or
control over the infrastructure related to these technologies.
• Despite ongoing concern in many industries over insider threats, due both to
negligence and malicious behavior, user awareness and training was not indicated
by most respondents as a leading contender for any technology category.
Table 6 provides the full analysis for what respondents consider most effective by the
types of technology their organization is embracing. The top three measures for each
technology are indicated as follows: Blue is selected by the highest percentage of
respondents, red by the next highest, and orange by the third highest.
Table 6. Preventive Measures Considered by Technology Embraced
AppSec/DevOpps plans and procedures
Architectural reviews of applications and systems
Architectural reviews of infrastructure
Robust testing
Security policy planning and implementation
Asset management
Configuration control and management
Continuous vulnerability monitoring and assessment
Data governance around sensitive data
Incident response
Use of cyber threat intelligence
User awareness and training
Cyber insurance
Metrics-based evaluation and reporting
Scenario-based risk analysis
Blocking known malware
Blocking known vulnerability exploits
Identifying and automatically blocking unknown malware
Preventing never-before-seen vulnerability exploits on the endpoint
De
ve
lop
me
nt
Op
era
tio
na
lB
usi
ne
ssTe
chn
olo
gy
BYOD
39.3%
37.5%
33.9%
37.5%
33.9%
30.4%
33.5%
33.5%
35.3%
31.3%
34.4%
36.2%
33.5%
35.0%
40.8%
29.3%
29.3%
34.2%
41.3%
Mobile
47.3%
46.0%
42.4%
46.0%
41.1%
37.5%
39.7%
42.9%
44.2%
38.8%
40.6%
41.5%
40.8%
40.3%
48.1%
35.1%
36.0%
40.4%
47.6%
SaaS
37.5%
32.6%
29.9%
36.2%
32.1%
32.6%
33.0%
33.0%
34.4%
29.9%
33.0%
31.3%
30.1%
35.0%
41.3%
29.3%
31.1%
32.0%
39.6%
Private Cloud/
Virtualized DC
37.9%
32.6%
29.5%
38.4%
32.1%
28.6%
33.0%
36.6%
36.6%
29.9%
34.4%
35.3%
33.5%
35.4%
40.8%
27.6%
27.6%
28.9%
40.0%
Public Cloud
22.8%
20.5%
19.2%
21.9%
20.5%
21.0%
23.7%
21.9%
24.1%
18.8%
19.2%
20.1%
19.4%
21.8%
24.8%
17.3%
19.6%
20.9%
25.3%
Hybrid Cloud
24.6%
20.1%
18.8%
24.6%
19.2%
17.4%
20.5%
21.4%
23.2%
18.3%
21.0%
21.0%
19.9%
20.4%
25.2%
18.2%
20.0%
19.6%
24.0%
IoT
8.9%
6.7%
5.8%
8.9%
6.3%
5.8%
6.7%
7.1%
6.3%
5.8%
7.1%
6.3%
7.8%
5.3%
8.3%
6.2%
5.3%
5.8%
8.0%
Technologies EmbracedMeasures by Category
So what are the barriers to preventive measure implementation? Figure 10 shows the
overall results for this survey.
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?21
Barriers to Prevention
For each of these areas, what is the primary reason you have been unable
to implement the controls?
No
firm
re
qu
ire
me
nts
as
to e
xact
ly
wh
at
is n
ee
de
d
Pro
pe
r sk
ill s
ets
Ava
ilab
le m
an
po
we
r
Lack
of
just
ifica
tio
n
Lack
of
ma
na
ge
me
nt
bu
y-in
Ina
bili
ty t
o s
ecu
re b
ud
ge
t
No
ab
ility
to
ma
na
ge
pro
ject
s o
r p
rog
ram
s re
late
d t
o p
reve
nti
on
Ca
nn
ot
sup
po
rt a
uto
ma
tio
n d
em
an
ds
du
e t
o in
fra
stru
ctu
re li
mit
ati
on
s
Figure 10. Barriers to Preventive Measure Implementation
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Business Design Development Operational Technology
Barriers to Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?22
Some real trends emerge when the top four reasons in each measurement domain are
reviewed. See Table 7.
The domains of design, operations and technology all suffer from a core set of
limitations in establishing preventive measures: available manpower and proper skill
sets. Ultimately, however, these measures should help achieve a positive balance, a force
multiplier that mitigates or even eliminates these limitations. It is the transition, though,
that will most likely require that painful surge in dollars due to outsourcing during this
period and training staff resources on new and needed skills.
Table 7. Top Four Barriers by Measurement Domain
Top Reason
Inability to secure budget
Lack of management buy-in
Lack of justification
No firm requirements as to exactly what is needed
Available manpower
No firm requirements as to exactly what is needed
Lack of management buy-in
Proper skill sets
Available manpower
Proper skill sets
No ability to manage projects or program related to prevention
Cannot support automation demands due to infrastructure limitations
Available manpower
Cannot support automation demands due to infrastructure limitations
Inability to secure budget
Proper skill sets
Bu
sin
ess
De
sig
nO
pe
rati
on
al
Tech
no
log
y
%
29.9%
25.3%
21.5%
20.5%
19.9%
15.0%
14.3%
14.0%
30.6%
22.3%
19.7%
19.4%
18.8%
16.1%
15.7%
14.6%
Barriers to Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?23
Another critical factor also emerges that is reflected in both the technology and
operational domains—infrastructure limitations that cannot support the automation
required. In addition, operationally, the capability of managing projects or programs
related to prevention is limited. Prevention requires a strategic view, ideally starting at
the beginning of the system/software development life cycle, and dedicated resources.
Trying to timeshare this activity with an overloaded security analyst or incident team
responder is not a winning proposition.
But it is the top four barriers under the business domain that tell the story of how to
overcome these limitations. The first step is to develop firm requirements for exactly
what is needed from a functional, technical and programmatic (cost, schedule and
resources) perspective. With requirements in hand, preventive measures—procedures
and tools—can be prioritized and justified to achieve management buy-in and secure a
working budget.
Where to start to enable a culture of prevention in an organization?
The first steps are: 1. understand the decision-making process; 2. evaluate where
the gaps are related to understanding and promoting preventive measures; and 3.
determine how to measure and monitor to keep the program alive.
The Decision-Making Process
The majority of respondents (75%) report that their executive team is involved in
decision making or oversight of their organization’s security. The majority participate
in the risk management process and conduct financial oversight of technical or policy
decisions. See Figure 11.
But the concern remains—are the executives truly informed? Do they understand the
problem(s) at hand?
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?24
Moving to a Culture of Prevention
How is your executive management team involved in the decision making or oversight
of your organization’s security program? Select all that apply.
They participate in a risk management process to ensure investments are aligned to operational
priorities.
They conduct financial oversight of technical
or policy decisions.
They rely on outside consultation for review
and oversight.
Other
Figure 11. Executive Involvement in Security Decision Making
70%
60%
50%
40%
30%
20%
10%
0%
Moving to a Culture of Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?25
Figure 12 shows that the respondents act mainly as influencers (e.g., recommenders) as
well as users of technology and policy, reflecting the fact that only 36% of respondents
represented management, as shown previously in Table 2. This result supports the fact
that respondents do not share as strongly in the decision-making processes related to
security policy and purchase of technology. Only 41% are involved in security policy
decision making, and just 36% are involved in purchasing security technologies. The
role that these subject matter experts play in establishing their organization’s security
posture can affect the approach to prevention.
And this less-than-ideal role raises the second concern: Does the executive team rely
on the subject matter experts—those who really know the business—not only for
recommendations but for participation in the final decisions regarding policy and
procurement?
An effective relationship, with communication and confidence in the roles of
executive staff and security management, is the first step in achieving a program of
prevention in an organization. You don’t want to wait until the ransomware demand
is on the doorstep.
What is your role in the company’s security posture?
Select all that apply.
Oth
er
A s
ecu
rity
po
licy
infl
ue
nce
r
An
infl
ue
nce
r o
f se
curi
ty
tech
no
log
y p
urc
ha
sin
g d
eci
sio
ns
A s
ecu
rity
po
licy
de
cisi
on
ma
ker
A u
ser
of
secu
rity
te
chn
olo
gy
A b
uye
r o
f se
curi
ty t
ech
no
log
y
Figure 12. Respondent Role in Organizational Security Posture
70%
60%
50%
40%
30%
20%
10%
0%
The executive team
gets in the way of
good security. The
organization has
never been burnt,
which may explain the
problem. Ransomware
incidents may help the
situation, … but they
are still stuck on AV
[antivirus] technology
as the preventive
measure.
—SANS Survey
Interviewee
Moving to a Culture of Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?26
Measuring Success
Security activities in respondent organizations emphasize the operational nature of
security in an organization. Technical security teams in respondent organizations spent
the majority of their time creating new security controls (39%) or investigating alerts
and incidents (34%). Almost 44% are directly involved in detection and response, areas
where automation, those “force multiplier” tools and technologies, can be used to lower
these percentages. With more time available for prevention, SANS would expect to see
increases in “creating new security controls, including policies and procedures” and
“proactively hunting for advanced threats,” areas where human intervention is most
valuable and needed. See Figure 13.
Where does your technical security team focus
or spend the majority of its time?
Figure 13. Where the Technical Team Spends Its Time
Creating new security controls, including policies or procedures
Investigating alerts and incidents
Proactively hunting for advanced attacks
Analyzing potential breaches after they occur
Performing forensic analysis
Other
Prioritizing events for additional analysis
Moving to a Culture of Prevention (CONTINUED)
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?27
When measuring the efficacy of their security investments, respondents place
more emphasis on the technical artifacts that report on immediate success. To look
strategically at prevention, emphasis needs also to be placed on factors such as
configuration of critical information assets or how security relates as a percentage of the
company IT budget or overall revenue. See Figure 14.
Developing good metrics to determine the efficacy of security investments that
support prevention is a key aspect to the decision-making process. Figure 14 indicates
an inherent barrier to prevention that was not explicitly asked of respondents. True
prevention depends on continuous, objective monitoring and assessment—the first
and third factors in the figure above. These are the areas where an organization should
measure its investment in prevention. Prevention cannot depend on compliance
artifacts that are non-continuous, inherently reactive and potentially biased by the
nature of the audit in what they reveal.
This ties directly back to the earlier discussion on metrics-based evaluation and
reporting and its importance to an enterprise strategy for prevention.
How do you measure the efficacy of your security investments?
Tre
nd
s in
th
e n
um
be
r o
f a
lert
s th
at
resu
lt in
in
cid
en
ts a
nd
/or
bre
ach
es
Nu
mb
er
of
issu
es
ide
ntifi
ed
by
IT s
ecu
rity
as
con
tro
l we
ak
ne
sse
s
Se
curi
ty c
ost
as
a p
erc
en
tag
e o
f to
tal
com
pa
ny
reve
nu
e
Ou
tpu
t fr
om
re
gu
lar
ass
ess
me
nts
(e
.g.,
vu
lne
rab
ility
ass
ess
me
nt,
pe
ne
tra
tio
n t
est
ing
)
Tim
e t
o d
ete
ct a
s it
aff
ect
s ti
me
to
re
me
dia
te
Co
mp
lian
ce o
r o
the
r ty
pe
s o
f a
ud
it fi
nd
ing
s p
erf
orm
ed
by
thir
d p
art
ies
Oth
er
Co
mp
lian
ce o
r o
the
r ty
pe
s o
f a
ud
it fi
nd
ing
s p
erf
orm
ed
by
inte
rna
l re
sou
rce
s
Pe
rce
nta
ge
of
crit
ica
l in
form
ati
on
ass
ets
in
co
mp
lian
ce w
ith
ap
pro
ved
sys
tem
a
rch
ite
ctu
re
Nu
mb
er
of
thre
ats
pro
act
ive
ly id
en
tifi
ed
an
d
elim
ina
ted
qu
art
erl
y o
r a
nn
ua
lly
Figure 14. Efficacy Factors Used by Respondents
60%
50%
40%
30%
20%
10%
0%
Measurement is an
essential component of
any successful security
program.
To support good
decision-making, you
must be able to assess
your current state, and
also have a way to
measure and report on
progress.
—A Measurement
Companion to the
CIS Critical Security
Controls17
17 “A Measurement Companion to the CIS Critical Security Controls,” www.cisecurity.org/critical-controls.cfm, p. 3. Registration may be required.
Prevention is not necessarily a new concept, but it requires organizations to first think
strategically about what will happen if they are breached and, from this analysis,
operationalize an overall strategy that avoids the problems, preventing the attack or
mitigating the incident before it escalates into a breach.
Our results show that what respondents have implemented as preventive measures
is not necessarily what they consider preventive. For example, more than 50% of
respondents consider the business measures SANS identified in this survey as important,
yet fewer than half have implemented them. Similar patterns emerge for the other
categories of design and development, operational and technology measures. This trend
is also illustrated in Figure 8, where it appears that more respondents who had at least
one major breach consider those measures they haven’t necessarily implemented to be
more preventive than the measures they have implemented.
This trend speaks strongly to a dependence on experience and, indeed, the survey
results show that experience counts—those respondents who have experienced
many incidents but no breach cite an overall higher level of confidence than those
who have had at least one major breach. Experience, together with the technology
being implemented, influences the choice of what measures respondents consider
the most preventive.
What barriers have stopped respondents from implementing preventive measures? The
domains of design, operations and technology all suffer from a core set of limitations
in establishing preventive measures: available staff and proper skill sets. Ultimately,
however, the real barriers are related to the business domain.
To develop a proactive culture of prevention, the organization must understand what
the potential measures might be, what they relate to (e.g., company business and
mission), and how they are influenced by factors such as whether the organization has
been breached or any specific technology it is deploying.
Next, an understanding of the decision-making process used in the organization is
needed. After the lines of communication are established, the organization needs
to determine how best to report the required information to keep the program alive
and the executives aware of how the preventive measures are working to keep the
organization as safe as possible.
Finally, formalizing the requirements development process should be emphasized so
that it is the starting point from which timely justifications for policy, process and tools
to implement a culture of prevention can be created.
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?28
Conclusion
Barbara Filkins, a senior SANS analyst who holds the CISSP and SANS GSEC (Gold), GCIH (Gold),
GSLC (Gold), GCCC (Gold) and GCPM (Silver) certifications, has done extensive work in system
procurement, vendor selection and vendor negotiations as a systems engineering and infrastructure
design consultant. She is deeply involved with HIPAA security issues in the health and human services
industry, with clients ranging from federal agencies (Department of Defense and Department of
Veterans Affairs) to municipalities and commercial businesses. Barbara focuses on issues related to
automation—privacy, identity theft and exposure to fraud, as well as the legal aspects of enforcing
information security in today’s mobile and cloud environments.
John Pescatore (Advisor) joined SANS as director of emerging technologies in January 2013 after
more than 13 years as lead security analyst for Gartner, 11 years with GTE, and service with both the
National Security Administration, where he designed secure voice systems, and the U.S. Secret Service,
where he developed secure communications and voice systems “and the occasional ballistic armor
installation.” John has testified before Congress about cyber security, was named one of the 15 most-
influential people in security in 2008 and remains an NSA-certified cryptologic engineer.
SANS ANALYST PROGRAMData Breaches: Is Prevention Practical?29
About the Authoring Team
Sponsor
SANS would like to thank this survey’s sponsor: