Security Products
Showing results for 
Search instead for 
Do you mean 

Has Information Security Reached Peak Prevention?

danielmiessler ‎03-06-2013 10:50 AM - edited ‎07-07-2015 12:43 PM



As we all know, there are two main components to risk: 1) the chance that something will happen, and 2) how bad it would be if it did--or, probability and impact. For the last 20 years we've been focused almost exclusively on probability, i.e. trying to make sure bad things don't happen.


The problem is that we’ve reached Peak Prevention. Like Peak Oil, Peak Prevention is a wall of diminishing return, and we've hit it. We can multiply our prevention efforts many times over and get very little reduction in risk (and perhaps even an increase due to ever-advancing threats). 10 years ago we were at around 50% prevention maturity, and now we’re at roughly 90%. If we spend another 10 years and 10 trillion we can maybe get to 95%. But all that effort would provide only a small fraction of the risk reduction we could achieve by making successful compromises less costly.


The Resilient Approach


Both in physical and information-based attacks, the offenses themselves often hurt us much less than our responses. Reacting emotionally to being attacked magnifies the damage and plays directly into the hands of the attacker. We need to move from a paradigm of terror at the thought of a breach, and panic once one has been detected, to that of practiced, mature preparation and controlled response. We may not be able to lower the probability value much more in the risk equation, but we can absolutely adjust the impact. And if the impact goes down, so does the risk.



In this world, the negative publicity from getting hacked would come only from negligence with controls and/or a poorly handled incident response or notification. As it becomes understood that highly trained, asymmetrically resourced adversaries will penetrate highly complex global networks and do harm, the taboo of compromise is largely removed.


In fact, this is precisely what we're seeing happen. In the last decade we’ve seen literally hundreds of public breaches, with a staggering number coming in the last few months alone. Some of these companies have been rocked by their incidents, while others are virtually unscathed after just a few short weeks, which raises the question: "What is the difference between these companies?"


The Role of Controls


Many who make a living in security probably don’t want to hear that we’re about to switch to a resilience paradigm from one of prevention, as it seems to almost trivialize compromise.


"Nobody will care if they get hacked!"


But that’s not true.


The difference between a company that goes on to be successful after a breach and one that suffers immeasurably is that the former had the controls in place and the later did not. And I’m not just speaking of a few technical controls: I mean a robust, highly mature information security program that has not just the technology but also the processes and training to respond properly when something does take place.


So the security industry will be just fine. The difference is that companies who are judged to have done everything right, but still got hacked, will not suffer the shame that is still associated with being compromised. This will become commonplace, and an accepted part of doing business in the 21st century. The stigma is falling away.


The only question will be whether or not you had your shop in order when it happened, and whether you responded appropriately. Consumer confidence in your company, and your stock price, will reflect this truth.


Two Approaches to Reducing Impact


Once we’ve accepted that the future path of risk reduction lies in reducing impact, we can start to look at ways to accomplish that. I see two primary ways to do so:


1. Significantly Reduce the Impact of Common Compromises


This portion of the solution will have many technological components, including an idea I got from recent password compromise issues. I believe the networks of the future will store their data in a decentralized way that makes common compromises virtually useless.

In other words, access to data as a result of a low to mid-level compromise will not yield anything of use to attackers because they’ll only have a tiny percentage of what’s required to make the data usable. And getting the other requisite pieces would require failures across multiple other areas in the company’s defenses.


Savvy readers will know that this will not thwart attackers completely, and that they will move their attacks to locations and users who can access the complete data set (someone has to have access to it, after all). We're already seeing this today, actually, but this is not a reason to abandon this approach. The fewer the systems that grant access to the real data, and the more effort it takes to get to the real data, the more time and chance we have of finding and stopping them.


2. Reduce the Value of the Data that is Stolen


This one is harder, but it’s still possible if enough people are involved and energy is put into it. Examples here could include modifying the requirements for getting a credit card, procuring a mortgage, etc. If additional factors (stronger factors) are added to the equation we could see the impact of SSNs or CCNs being stolen plummet significantly.


In short, not only make it less of an issue if you're compromised, but make the leaked data less valuable as well. Again, this is something that'd have to be done at multiple levels, with multiple organizations helping, but any progress would be significant progress.




However it’s accomplished — and it’ll definitely be through a myriad of approaches — this shift is upon us. We’ve had a good run at catching the prevention unicorn, and we absolutely need to maintain our ground and continue to innovate in prevention, but the major gains in future risk reduction will come from reducing impact rather than probability. The sooner we accept this, the better. ::

About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all