Over the last two weeks I listened to and watched all of the hearings related to the OPM breach. During the exchanges between the witnesses and legislators, I noticed several themes. One presented the situation facing OPM (and other Federal agencies) as confronting the following choice:
You can either 1) “secure your network,” which is very difficult and going to “take years,” due to “years of insufficient investment,” or 2) suffer intrusions and breaches, which is what happened to OPM.
This struck me as an odd dichotomy. The reasoning appeared to be that because OPM did not make “sufficient investment” in security, a breach was the result.
In other words, if OPM had “sufficiently invested” in security, they would not have suffered a breach.
I do not see the situation in this way, for two main reasons.
First, there is a difference between an “intrusion” and a “breach.” An intrusion is unauthorized access to a computing resource. A breach is the theft, alteration, or destruction of that computing resource, following an intrusion.
It therefore follows that one can suffer an intrusion, but not suffer a breach.
One can avoid a breach following an intrusion if the security team can stop the adversary before he accomplishes his mission.
Second, there is no point at which any network is “secure,” i.e., intrusion-proof. It is more likely one could operate a breach-proof network, but that is not completely attainable, either.
Still, the most effective strategy is a combination of preventing as many intrusions as possible, complemented by an aggressive detection and response operation that improves the chances of avoiding a breach, or at least minimizes the impact of a breach.
This is why I call “detection and response” the “third way” strategy. The first way, “secure your network” by making it “intrusion-proof,” is not possible. The second way, suffer intrusions and breaches, is not acceptable. Therefore, organizations should implement a third way strategy that stops as many intrusions as possible, but detects and responds to those intrusions that do occur, prior to their progression to breach status.