In the midst of his riff on Amrit’s anti-FUD lament, Alex at Risk Management Insight relates a story about an enterprise that installed a data leakage / content monitoring / extrusion prevention solution to evaluate data leakage throughout its organization. At the end of the trial, they made an important observation:
"If they were leaking all this data, where were all the incidents?"
The idea of "leakage" is a notion worth addressing in a world of mobile employees, outsourced business functions, and super-strategic partnerships where data is routinely shared across many traditional boundaries. It is pretty straightforward to identify a leak simply as a violation of policy – that is, sensitive data was shared when it shouldn’t have been. Another type of leak is the nefarious one – when an employee is caught stealing information and transferring it to a competitor or using it for his/her own gain. The former is (anecdotally) the most common situation, but the latter is the most significant.
Alex continues his comments to discuss how frequency of incidents fit into the risk equation, and how these leakage events don’t necessarily result in incidents where the information is used against the owner. (The parallel here with personal information is simply that loss of identity information doesn’t necessarily lead to identity fraud.)
Of course, the notion of an incident and its corresponding loss function is trickier than is described here – while I don’t subscribe to the whole mentality of massive, secret breaches HAPPENING RIGHT NOW EVERYWHERE!!!! and leading to significant losses WHILE WE REMAIN UNAWARE!!!! , it isn’t hard to assert that some organizations are likely to be in this situation right now, and when that enterprise figures out that it has been breached, it will correlate its damage estimates with the duration of the breach (longer time, higher damages).
[Allow me to brainstorm briefly, because duration is an important point here - it may mean we'll need to differentiate between incidence and prevalence at some point in the future of information security.]
My point: Evidence matters. That is, we must continue to distinguish among the nature and types of incidents and corresponding losses. Policy violations may lead to losses like regulatory fines, but not necessarily abuse of data, which was the reason for the policy in the first place.
All of these issues, of course, point to the need for more quantitative, objective (oh, and causative) work being done to understand consequences in situations where "leakage" is the norm, not the exception. (Btw, DLP solutions are great for simply understanding the volume and usage patterns of sensitive data to get this information).
Update: Adam asks a great question in the comments. (Thanks for the links, Adam!). Here is an attempt at clarification:
As far as I can tell from reading the article, it makes precisely my (intended) point which I probably didn’t make as well as I could have.
Let’s see if I can clarify what I believe, and I haven’t seen any data to refute these beliefs as of yet. (Nor have I seen great data that supports them, however):
1) There are undoubtedly lots of "leakage events" going on all the time. These are, by and large, occurring through "garden variety" policy abuse by employees and stolen laptops/PDAs; they are generally not malicious attacker events. Any of these cases might result in losses.
2) There is also much, much more information sharing going on that is considered legitimate by policy but also may end up resulting in losses.
3) Malicious attackers do not have a stronghold in every enterprise on the planet (unless you count employees as malicious attackers;-)). They are likely, however, to have compromised some relatively small proportion of organizations and these organizations don’t know about it yet.
While I don’t know this, I suspect a large (huge, really) portion of the "breaches" being reported in your article are of the policy abuse and stolen laptop situations. When I asserted my opinion above, I was talking about malicious attacker breaches of the TJX variety, though I wasn’t clear in saying this.
In any case, the larger part of my post intended to suggest (and I believe Alex intended this as well) that even though leakage events occur frequently, it is not clear how much of this leakage is turned into losses like identity fraud, competitive market share, stolen customers, etc*. In addition, it is not even clear whether these leakage events create higher risk for an enterprise that is already sharing information in huge volumes.
* Note that the bulk of losses associated with these events revolve around notification, legal costs, and forensics analysis, and not around the losses mentioned previously.
Pete,
If you don’t subscribe to massive number of breaches, why did GAO report that CERT is hearing about roughly a breach an hour? Is the US government different?
We move rocks, we see things. We move more rocks, we see more things. You seem to be saying that the next rock is going to be different.
I forgot to include URLs. http://www.emergentchaos.com/archives/2007/10/1530_dataloss_incidents_d.html points to this http://www.govexec.com/story_page.cfm?articleid=38348
One of your quotes will amaze nearly anyone who has actually seen the live results of a DLP-style risk assessment:
“it is not even clear whether these leakage events create higher risk for an enterprise that is already sharing information in huge volumes”
Yes, there aren’t reliable numbers yet on the conversion rate from exposure events to actual legal/financial harm, but response to the wrap-up results of DLP risk-assessments nearly always lands somewhere between “shock” and “awe”. Anyone in business immediately sees the potential harm that can come from these exposure events and, often enough, activity found by just a two-day risk assessment finds clear evidence of serious harm.
I agree its important not to try to create a sense of panic out there. Besides, FUD marketing doesn’t work anyway. On the other hand, you are *way* out on a limb if you think the problem that DLP treats is illusory or just vendor marketing spin.
@Kevin -
Spoken like a true DLP vendor
First, I should say that I happen to be a big fan of DLP solutions, not because, omigosh! the world is coming to an end, but simply because they provide concrete evidence of the nature and type of activities that are ongoing in enterprises today.
Second, this post was not about the DLP value proposition, it is about evidence-based security, with Alex’s DLP example as an illustration. You not only confirmed my point in this regard, but reinforced it – I am not surprised at all that people react strongly even without evidence of that information being used against them. They reacted strongly with all the IDS alerts to ping sweeps back in 1998, too.
It is well-documented that people over-react to risk (see Paul Slovic, et. al. and the perception of risk academic work); I am cautioning against that kind of reaction, in any/all cases that come up.
You’re not really suggesting that because people are “shocked” and “awed” by your reports that it causes or even correlates to losses, are you?
Heck, Vontu would probably be in the best position to provide such quantitative analysis. Do you have it?