Login  |  Register  |  Contact

The Data Breach Triangle in Action

I refer back to Rich’s Data Breach Triangle over and over again. It’s such a clear and concise way to describe a data breach – past or potential. And we continue to see examples of how focusing on breaking one leg of the triangle works. From How the RSA Attackers Swung and Missed at Lockheed Martin on Threatpost:

“But instead of closing the door and shutting the attackers out, Lockheed’s team began monitoring their activities to see what they were doing, where they were going and what tactics they used.”

The typical incident response playbook involves finding a compromised device and fixing it, but with today’s advanced attacks you can’t be sure you actually have eliminated the threat with a single remediation activity. So in some cases it makes more sense to observe the attackers, rather than [trying to] clean them up immediately.

“The lesson, Adegbite said, is that preventing attackers from getting anything useful off a network is far more important than trying to prevent every attacker from getting in. “The investment to stop people from coming in is too high,” he said.”

Break the egress leg of the triangle and there is no breach. And that’s why we focus on egress filtering and active protections like DLP in an effort to prevent exfiltration.

—Mike Rothman

No Related Posts
Previous entry: Understanding IAM for Cloud Services: Architecture and Design | | Next entry: RSA Conference Guide 2013: Key Themes

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By SteveA  on  02/09  at  11:23 AM

I agree completely.  Have a weathered diagram on the whiteboard in my office supporting this theory:  Malware Motel - bad guys get in, but can’t get out!  [See:  http://adsmuseum.com/jingles/roach-motel]

Name:

Email:

Remember my personal information

Notify me of follow-up comments?