I was just talking to a client who has over ¾ of a million devices in their network. That is over 750,000 devices. Do you want to bet that there are always at least a few that are compromised?
I also spoke to a CISO of a very large organization who has multiple CSOs reporting to him. On average they are handling 17 major incidents at any point in time.
Traditionally we have focused on preventive (also called preventative) controls like firewalls, encryption, antivirus, etc. But no control is 100% effective, and even when we have multiple overlapping preventive controls (“defense in depth”), things can be and are bypassed.
Prevention is ideal, but detection is a must!
I’m going to credit this very true quote to Dr. Eric Cole as I first heard it from him. Detection is absolutely a must.
My Uncle has had bouts with cancer. Sure wish cancer had been prevented, that he had never gotten it. But in each case, it was detected pretty early and he has recovered 100%.
This brings up a corollary to prevention is ideal, but detection is a must:
Speed of detection is critical.
Let’s say you are gone for a week, and someone breaks into your house. If the alarm goes off and the police arrive in 5 minutes, probably not much damage will occur. If however you do not detect the intrusion until you return a week later, far more damage is likely to have occurred. Maybe they stole everything, including your furniture, rugs, copper pipes, and more?
Nortel was formerly a massive company based in Mississauga Ontario. I consulted with them in the late 1980s when they were known as Northern Telecom. Nortel no longer exists, having filed for bankruptcy protection in early 2009.
Apparently hackers had complete access to their systems for a very long time. They were totally owned. Allegedly their massive facility even had scores of “listening devices” or “bugs.” According to Wikipedia, the original hack was “Thought to have originated in 2000, for nearly ten years they accessed documents including emails, technical papers, research, development reports, and business plans.”
What if your competitors knew everything you knew? They had access to all your business contracts, new technology being developed, competitive bids, they read every executive email. You had zero secrets. It would be potentially catastrophic!
It is possible that if the Nortel hack had been detected quickly and dealt with that they would still exist.
In any organization we know that things will go wrong, that our preventive controls will be breached, and that we need detective controls. And we also know that our detective controls, if even remotely effective, WILL detect things (hopefully everything significant).
To use the vernacular:
Shit Happens, and we had better be prepared to deal with it.
We sometimes talk about “incidents” which are anything that implies harm or the possibility of harm. Incidents, including malware infestations, hacker attacks, “errors and omissions “ (people screwing up), natural disasters, and more will occur.
Since incidents will occur, we had best have a trained incident handling team. We want to be UNLIKE a transportation company I know where every time something goes wrong they run around like chickens with their heads cut off and it’s total chaos. That my friends, is bad!