RiskPundit

The specific issue I would like to highlight now is the section on methods by which the investigated breaches were discovered (Discovery Methods, page 37). 83% were discovered by third parties or non-security employees going about their normal business. Only 6% were found by event monitoring or log analysis. Routine internal or external audit combined came in at a rousing 2%.

These numbers are truly shocking considering the amount of money that has been spent on Intrusion Detection systems, Log Management systems, and Security Information and Event Management systems. Actually, the Verizon team concludes that many breached organizations did not invest sufficiently in detection controls. Based on my experience, I agree.

Given a limited security budget there needs to be a balance between prevention, detection, and response. I don’t think anyone would argue against this in theory. But obviously, in practice, it’s not happening. Too often I have seen too much focus on prevention to the detriment of detection and response.

In addition, these numbers point to the difficulties in deploying viable detection controls, as there were a significant number of organizations that had purchased detection controls but had not put them into production. Again, I have seen this myself as most of the tools are too difficult to manage and it’s difficult to implement effective processes.