I refer back to Rich’s Data Breach Triangle over and over again. It’s such a clear and concise way to describe a data breach – past or potential. And we continue to see examples of how focusing on breaking one leg of the triangle works. From How the RSA Attackers Swung and Missed at Lockheed Martin on Threatpost:

“But instead of closing the door and shutting the attackers out, Lockheed’s team began monitoring their activities to see what they were doing, where they were going and what tactics they used.”

The typical incident response playbook involves finding a compromised device and fixing it, but with today’s advanced attacks you can’t be sure you actually have eliminated the threat with a single remediation activity. So in some cases it makes more sense to observe the attackers, rather than [trying to] clean them up immediately.

“The lesson, Adegbite said, is that preventing attackers from getting anything useful off a network is far more important than trying to prevent every attacker from getting in. “The investment to stop people from coming in is too high,” he said.”

Break the egress leg of the triangle and there is no breach. And that’s why we focus on egress filtering and active protections like DLP in an effort to prevent exfiltration.