Back in March, "The New School of Information Security" by Adam Shostack and Andrew Stewart came out trailed by a flurry of largely positive reviews by InfoSec bloggers. I found it compelling reading the first time and gave it a fresh run through recently. A concise summary of TNOIS would be that if Shostack and Stewart showed up at a rally, their banner would read: "Use hard data to guide how you react!"
How can any security practitioner disagree with that?
In this next couple of posts I'd like to use some "New School" thinking on the subject of Data Loss Prevention and analyze two interesting data sources to find new meaning and new ways to manage InfoSec risk. The first of these data sources (and the most obvious place to look) is the well-known DataLossDB open source database.
This popular and quite useful set of hard InfoSec data comes from the Open Security Foundation. Pouring through the DataLossDB stats is interesting reading for anyone in the InfoSec trade and the community should be thankful for the hard work of the many volunteers who have assembled it. I'm additionally indebted to the Etiolated.org team for providing a convenient query interface for this data that has made some of this analysis possible that gave me charts like these:
These breach patterns seem to tell the following story
* Data breaches are primarily driven by laptop thieves (#1) and hackers (#2)
* Malicious insiders perpetrate a higher average record-count per breach
- Around 1M records per incident for malicious insiders
- Around 300k records per incident for hackers
* Insider problems appear to be – in aggregate - less severe
* Implied conclusions you may be tempted to draw from this data are:
- Security teams should primarily focus on securing laptops from theft
- Second priority should be deeper defense in depth against hackers
- Malicious incidents, although pretty damaging, just don't happen that much
- Accidental data loss isn't that much of a big deal
We See Things Differently
As the leading player in Data Loss Prevention, we help some of the largest enterprises in the world through data breach events and confidential data exposure problems. We have the largest deployments of these systems of any vendor in the space and this provides us a broad view of what's really happening with confidential data exposure trends.
From where we sit, the implied conclusions above don't match too well with the reality we see in the field. In sum, there's a big difference between what's reported publicly and what's really happening on enterprise systems.
In my next post, I'll give more detail about what we are seeing out in the field, and offer some explanations as to why the public reports of breach rates don't really tell the full story.
Founder, Data Loss Prevention Division