“You’re in the fight, whether you thought you were or not”, Gen. Mike Hayden, former Director of the CIA and NSA. It may appear at first to be a scare tactic or an attempt to sow fear, uncertainty, and doubt, but truly, what this means is that it’s time to adopt the Assume Breach paradigm.
Mr. Hayden also said, “You are almost certainly penetrated.” These words ring true and it’s time to acknowledge that a breach has either already occurred or that it’s only a matter of time until it will. It is more likely that an organization has already been compromised, but just hasn’t discovered it yet. Operating with this assumption will reshape detection and response strategies in a way that pushes the limits of any organization’s infrastructure, people, processes, and technologies.
Traditional security methodologies have largely been focused on prevention. It is a defensive strategy aimed at eliminating vulnerabilities and thereby mitigating security breaches before they happen. However, as the daily news headlines bear witness, perfect protection is not practical. So, monitoring is necessary.
Many businesses think of IT security as a nice-to-have option – just a second priority to be addressed, if IT budget dollars remain. However, compliance with regulations is seen as a must-have, mostly due to fear of the auditor and potential shame or penalty in the event of an audit failure. If this mindset prevails, then up to 70% of the budget under security and compliance will be allocated to the latter, with the rest “left over” for security. And as the total amount shrinks, this leads to the undesirable phenomenon known as checkbox compliance. Article after article explains why this is a bad mindset to have.
Remember, you’re in the fight, whether you knew it or not. Accept this and compliance becomes a result of good security practice. The same IT security budget can become more effective.
If you’re overwhelmed at the prospect of having to develop, staff, train, and manage security and compliance all by yourself, there are services like EventTracker’s SIEMphonic, that will do the heavy lifting. See our “Catch of the Day” to see examples of how this service has benefited our customers.