Research Revisited: The Data Breach TriangleBy Rich
This has always been one of my favorite posts, and it is one I still use regularly. I even have a slide on it in my RSA presentation for this week.
The triangle still guides a lot of my thinking on data security. I am also now starting to think in terms of workload security, about which you will be hearing more soon. In this age of increased focus on egress filtering and incident response, I think the triangle does a good job of capturing a direction many security professionals realize we need to head.
I originally posted this May 12, 2009.
The Data Breach Triangle
I’d like to say I first became familiar with fire science back when I was in the Boulder County Fire Academy, but it really all started back in the Boy Scouts. One of the first things you learn when you’re tasked with starting, or stopping, fires is something known as the fire triangle. Fire is a pretty fascinating process when you dig into it. It demonstrates many of the characteristics of life (consumption, reproduction, waste production, movement), but is just a nifty chemical reaction that’s all sorts of fun when you’re a kid with white gas and a lighter (sorry Mom). The fire triangle is a simple model used to describe the elements required for fire to exist: heat, fuel, and oxygen. Take away any of the three, and fire can’t exist. (In recent years the triangle was updated to a tetrahedron, but since that would ruin my point, I’m ignoring it). In wildland fires we create backburns to remove fuel, in structure fires we use water to remove heat, and with fuel fires we use chemical agents to remove oxygen.
With all the recent breaches, I came up with the idea of a Data Breach Triangle to help prioritize security controls. The idea is that, just like fire, a breach needs three elements. Remove any of them and the breach is prevented. It consists of:
- Data: The equivalent of fuel – information to steal or misuse.
- Exploit: The combination of a vulnerability and/or an exploit path to allow an attacker unapproved access to the data.
- Egress: A path for the data to leave the organization. It could be digital, such as a network egress, or physical, such as portable storage or a stolen hard drive.
Our security controls should map to the triangle, and technically only one side needs to be broken to prevent a breach. For example, encryption or data masking removes the data (depending a lot on the encryption implementation). Patch management and proactive controls prevent exploits. Egress filtering or portable device control prevents egress. This assumes, of course, that these controls actually work – which we all know isn’t always the case.
When evaluating data security I like to look for the triangle – will the controls in question really prevent the breach? That’s why, for example, I’m a huge fan of DLP content discovery for data cleansing – you get to ignore a whole big chunk of expensive security controls if there’s no data to steal. For high-value networks, egress filtering is a key control if you can’t remove the data or absolutely prevent exploits (exploits being the toughest part of the triangle to manage).
The nice bit is that exploit management is usually our main focus, but breaking the other two sides is often cheaper and easier.
Egress is the one I see *violently* mishandled so often… with me grabbing my head and wailing “The 1990s are oooooooooooover!!! why - oh - why are you doing it like this!?”
By Anton Chuvakin
This is one of the most important posts on the Securosis blog. I used the triangle in my plans for the Information-centric security plan I put together for my last employer. (I “borrowed” that term too). The triangle was actually in the RFQ that was used for quotes for to test the “data” and “egress” parts of our network. So well done.
I think that the triangle is a bit too simple. I prefer the steps in Appendix B of Mandiant’s APT1 report being:
5. Lateral Move
6. Maintain Presence
7. Complete Mission
Of these, I think that recon and lateral movement are important and not covered in the triangle model.
Considering that APT1 was moving Gigs of information out of organisations… my analogy is trying to stop an ant coming into your house (difficult) but ignoring an ant colony taking all your food out of your house (stupid).
By Allen Baranov