Take a minute and see if you can tell what the image is above based on only pieces of it being revealed. Is it a dog? a bear? Or something else altogether. Back in the eighties there was a game show called CatchPhrase that me and my older sister would watch from time to time. It was short lived in the United States, lasting a little over four months, but we loved it. Gameplay, as noted on the Catchphrase Wikipedia page, focused around players trying to identify an illustrated puzzle (or catch phrase) by removing each one of the nine panels that were initially used to mask it. My sister and I would obviously compete against each other while watching to see who could get the catch phrase first. I liked the game because the premise was trying to figure out a puzzle based on incomplete information. As a teenager at the time, yes I’m old, my whole life was trying to figure out stuff with limited data. We didn’t have Google back then. Instead, we had to ask our parents and mine always had a chore or something for me to do before they’d give up the goods.
Anyway, I’m sure you’re all asking what does this have to do with information security. The answer is fairly simple and straight forward. In this day and age of daily notifications of breaches and security incidents, those responsible for protecting their organization’s systems, applications, and sensitive data will more than likely have to play their own game of CatchPhrase sooner rather than later. But first, a little context on those breaches.
Background on the Breaches
As of the date I am writing this, Troy Hunt’s “Have I Been Pwned?” site lists 479 pwned websites, 10,196,051,455 pwned accounts, 113,758 pastes and 194,794,935 paste accounts. Recent breaches include Experian (South Africa), LiveAuctioneers and the dating site Zoosk, which contained sensitive information like date of birth, political views, and sexualities of over twenty-three million users by itself.
The U.S. Department of Health and Human Services Office of Civil Rights Breach Report shows over three hundred and seventy breaches affecting 500 or more individuals in 2020 alone, with just under seventy percent of them related to a Hacking / IT Incident.
Lastly, according to IBM’s 2020 “Cost of a Data Breach Report” which included 3,200 interviews within 524 breached organizations across 17 countries, the current average cost of a data breach is $3.86 million, with healthcare having the highest industry cost.
These are some staggering numbers. The final numbers for 2020 won’t be known for a while, but it is my guess they will be even worse as a result of the challenges this year has presented to IT/Security departments. The pandemic alone has forced companies to quickly transition to a more remote workforce which has expanded the perimeter that they must protect, all while attackers are bombarding their users with malicious Covid-based phishing emails.
Dwell Time (It Gets Worse)
The 2012 iteration of FireEye’s M-Trends report noted that the global median number of days that an attacker was present on a victim’s network before detection (Dwell Time) was 416 days, or 1.14 years. Fast forward to 2020, the 11th iteration of the M-Trends report (released in February) shows a significant reduction in the Dwell time at just under 60 days. This was also a substantial improvement from 2019 which found the average Dwell Time to be 78 days. With that said, two months is still a very long time, especially for those organizations that store, process or transmit sensitive data, to discover a breach.
But what about CatchPhrase
For those readers that have been to one of our Infosec Quarterly Quorum (IQ2) presentations, we have a segment within each of our presentations called “Cybersecurity by the Numbers” that is used to share the various metrics that we see from our Security Assessments practice. One of those metrics we cover is Visibility, which is basically the percentage of events within our penetration test chain that were visible by the client during the engagement. I’ve said this many times, but it’s the metric that I think is the most important that we share. Like almost all security assessors, our red teams are elated when they get that initial foothold within a client’s network. However, as a company whose mission is to improve the security posture of the organizations we work with, we would much rather celebrate our client’s victories or wins every time. That includes not only when we are unable to capture their designated flag, but also when they see every step if we do obtain a flag – the Visibility metric. That metric for first time engagements today is 12% visibility (which incidentally is the percent of the picture at the start of this piece that’s not obfuscated – can you tell what it is yet?). On average, our penetration test chains include roughly 8 steps, which translates to organizations seeing maybe one step. That’s like playing a game of CatchPhrase where only a tiny fraction of the puzzle is revealed, but instead of missing out on a trip to Acapulco or a new stereo system for the den, the ramifications of not solving the problem, as I’ve laid out above, are much worse.
What to do, What to do
At Contextual Security Solutions, we don’t sell products. With that said, we understand that a major piece of the Visibility problem is getting the right mix of products and solutions in place to gather, correlate, and present security logs in a format that is efficient to digest. However, just as important as getting that logging infrastructure in place is the need to test those systems to ensure they are providing visibility into your network, with emphasis on those things that could do it most harm. That’s where we come in. As part of every Security Assessment Contextual Security Solutions performs, we work hand in hand with our clients to determine their visibility score and provide recommendations on how they can improve it. In addition, we also offer post-engagement services (Post Attack Visibility Engagement) that focus on helping organizations better identify and respond to active attacks within their environment.
To learn more about our services, call and speak with one of our knowledgeable representatives 844-526-6732. You can also email us with any questions at firstname.lastname@example.org. Also, if you care to take a guess on what the picture is at the top of this piece, send us an email. If you’re the first to get it right, we’ll send you one of our Contextual Security Solutions Nike hats. Otherwise, we’ll be sure to reveal the image at the end of our next IQ2 (tentatively scheduled for mid November). If you haven’t joined our global chapter group and would like an invitation, let us know and we’ll send you an invitation as well as information on the Q4 meeting.
Good luck! We look forward to standing by you when you’re having trouble with your visibility (kind of like when the moon is the only light you’ll see). Hint hint…..