Last week, experts told the US Senate it was time to assume that American military networks have been breached and that ramping up traditional fortress features like firewalls, AV and gateway devices was effectively a waste of time. Dr. Kaigham Gabriel, head of the Defence Advanced Research Projects Agency, compared current information and network protection efforts to treading water in the open ocean; all that blocking and locking did was slightly delay the inevitable.
This reality check dovetailed rather nicely with the release of Verizon’s annual Data Breach Report for 2012, which found that hacking was linked to almost all of the 855 incidents and 174 million compromised records the company investigated in 2011. Malware featured in 95 per cent of all stolen data incidents.
Hacking and malware have been exchanging places in the top three causes of data breach for years now. While there are plenty of tools out there doing a fine job of removing known threats using established methodologies, it’s becoming abundantly clear that this, on its own, is not enough to protect valuable information assets from falling into the wrong hands.
The reality is that focusing on inbound threats is outdated. As Dr. James Peery, head of Information Systems Analysis Centre at the Sandia National Laboratories in the US puts it, “We’ve got the wrong mental model here.” It’s time to focus on the content, not the threat; controlling access is all well and good, but protecting information is paramount.
If there’s one thing that the Data Breach Report underlines, it’s the reality that data theft and leakage come in a variety of flavours and vectors. Traditional, threat-focused methods are the equivalent of shooting in the dark. In today’s environment, it makes far more sense to protect your content and monitor it in the context of how you need to do business.
Knowing where and how your information is used and understanding the context within which users communicate empowers you to extract maximum value without putting information at risk.
Letting AV and threat-detection policies define your information protection stance is not only outdated, as 2011’s data leakage statistics suggest, it cannot protect your data. It’s time to stop treading water and start swimming.