The Breach Trilogy: Assume, Confirm, Discuss
We’ve been hearing for several years that we should assume breach. Many people have taken this to heart [link to http://online.wsj.com/article/PR-CO-20130422-908095.html?mod=googlenews_wsj no longer works] (although today’s DBIR still says it’s still months to detect those breaches).
I’d like to propose (predict?) that breach as a central concept will move through phases. Each of these phases will go through a hype cycle, and I think of them as sort of a trilogy.
We all understand “Assume Breach,” so let’s move on to “Confirm Breach.”
Confirm Breach will be a cold place. Our heroes will be on the run from an evil empire whose probes penetrate to every corner of the network. Over-dependence on perimeter defenses will be shown to be vulnerable to big, clumsy social engineering attacks. Okay, okay, I’m working too hard for the Empire Strikes Back angle here. But really, no one really wants to confirm a breach. We are running from APT, and we really do over-depend on perimeter defenses. As we get more comfortable with the fact that confirm a breach rarely hurts the breached organization very much, we’ll start to see less reticence to confirm breaches.
Recently, I was talking to someone whose organization had banned the term “breach” so they don’t have to report. That’s going to raise eyebrows and look more and more churlish and unsustainable.
Organizations and their counsel will start to realize that the broad message from Congress and the Executive Branch in the US, and Privacy Commissioners and Legislatures elsewhere is to disclose incidents. Their willingness to contort themselves to avoid such disclosure is going to drop. First the need to do so and then the professionalism of those offering such advice will be called into question by other lawyers.
In the meanwhile, legislators and then legislatures will get tired of lawyers playing word games, and propose stricter and stricter laws. For example, Lexology reports that the Belgian Privacy Commissioner is asking for breach notification within 48 hours. Such a requirement risks pulling firefighters from a fire, and putting them on form-filling. And it’s a direct response to the ongoing delays in reporting breaches without a clear explanation of why it took so long.
That will lead to an era of “Discuss Breach.”
Once we get to a point where breach confirmations are routine, we can look forward to really discussing them in depth, and understand the root cause, the controls that were in place, the detective mechanisms that worked, and the impact of the incident.
When we’re in the world of Discuss Breach, the pace at which things will get better will accelerate dramatically.
(In the future, someone will make a bad trilogy about deny breach, assume mitochlorians, and we’ll all pretend it didn’t happen.)