I’d like to say I first became familiar with fire science back when I was in the Boulder County Fire Academy, but it really all started back in the Boy Scouts. One of the first things you learn when you’re tasked with starting, or stopping, fires is something known as the fire triangle. Fire is a pretty fascinating process when you dig into it. It demonstrates many of the characteristics of life (consumption, reproduction, waste production, movement), but is just a nifty chemical reaction that’s all sorts of fun when you’re a kid with white gas and a lighter (sorry Mom). The fire triangle is a simple model used to describe the elements required for fire to exist: heat, fuel, and oxygen. Take away any of the three, and fire can’t exist. (In recent years the triangle was updated to a tetrahedron, but since that would ruin my point, I’m ignoring it). In wildland fires we create backburns to remove fuel, in structure fires we use water to remove heat, and with fuel fires we use chemical agents to remove oxygen.
With all the recent breaches, I came up with the idea of a Data Breach Triangle to help prioritize security controls. The idea is that, just like fire, a breach needs three elements. Remove any of them and the breach is prevented. It consists of:
- Data: The equivalent of fuel – information to steal or misuse.
- Exploit: The combination of a vulnerability and/or an exploit path to allow an attacker unapproved access to the data.
- Egress: A path for the data to leave the organization. It could be digital, such as a network egress, or physical, such as portable storage or a stolen hard drive.
Our security controls should map to the triangle, and technically only one side needs to be broken to prevent a breach. For example, encryption or data masking removes the data (depending a lot on the encryption implementation). Patch management and proactive controls prevent exploits. Egress filtering or portable device control prevents egress. This assumes, of course, that these controls actually work – which we all know isn’t always the case.
When evaluating data security I like to look for the triangle – will the controls in question really prevent the breach? That’s why, for example, I’m a huge fan of DLP content discovery for data cleansing – you get to ignore a whole big chunk of expensive security controls if there’s no data to steal. For high-value networks, egress filtering is a key control if you can’t remove the data or absolutely prevent exploits (exploits being the toughest part of the triangle to manage).
The nice bit is that exploit management is usually our main focus, but breaking the other two sides is often cheaper and easier.
Reader interactions
8 Replies to “The Data Breach Triangle”
Interesting model. I like the more general approach, but I am curious how you would account for issues such as many of the SQL injection worms from last year. Theoretically, many of the sites hit did not hold any sensitive data, yet the attackers were able to upload links to malware into the applications content data stores forcing the sites to serve up malware to visitors of the site. Malware contained keystroke loggers etc, that likely collected sensitive data directly from the clients machine.
In cases such as these, the sites could have argued they eliminated or broke one side of the triangle by not storing or transmitting any sensitive data, yet in the end, the data was still stolen.
Well, I am not a firefighter, but I remember the movie Hellfighters (John Wayne): Sometimes the only way to deal with fire is with a big explosion. I guess that for US organizations you should the FTC…
Seriously, I agree that Risk is a function of the data value, accessibility and the exploit factors. But since it is not a simple function, i would use a pyramid or another shape (for sure not a perfect triangle) that can illustrate that changing one factor affect the others.
For example, when using encryption to hide the data, one will face other risks relevant for key management issues, trusted users (especially if whole disk encryption is used etc).
Sharon
This is a very helpful concept, regardless what you call the three sides of the triangle – very simple yet very powerful.
The “exploit” side of the battle was lost a long time ago, and continues to be lost every day. Probably the same with the egress side.
It seems to me that the real work needs to take place in the area of making stolen data hard or impossible to use.
Patrick Florer
Dallas
I think the fact that the model generalizes is a sign of a good model!
Ant,
How true, I suppose I’m merely providing a data-specific version, for whatever that’s worth. I’ll clean it up a bit and update it this afternoon…
More generally: {Asset, Ingress, Egress}, or for those folks who aren
Thanks Martin,
I think you’re right… exploit is too limiting, access can encompass exploit. Will go update!
Rich,
Perhaps ‘access’ would be a better term to use than ‘exploit’. A malicious outsider needs an exploit to access the data, where as a malicious insider usually has access to the data to begin with. You need the loot, a way to get the loot and a way to escape with the loot when you’ve got it. Is there any such thing as a ‘crime triangle’?
I’m going to have to give this a bit more thought; I believe you have the right idea, but I think this somehow defines the data breach elements too narrowly. I haven’t figured out exactly what leads me in that direction yet, but it will come to me.