Embracing the “Presumption of Breach”

Your organisation has been breached; it’s a fact of business in 2015. Accepting this fact will help in moving towards a solution and shifting the tide against hackers.

Today, there are two types of organisations: those that know that they have been breached, and those that choose not to accept the hard truth and move forward.

The people attacking your systems and networks have morphed from hackers seeking peer recognition and disruption to organised, talented, well-funded and highly directed groups. Some seek financial gain while nation-state actors seek to obtain state and military secrets or disrupt critical infrastructure. Adversaries no longer use broad, opportunistic gambits made to pick off the weak and wounded machines or highly gullible users. Modern highly targeted and specialised attacks use a deliberate, multi-step approach. They cross through the most sophisticated defenses with ridiculous ease and then quickly pivot to locate their target, using patience and stealth to obfuscate their activity along the way. This is no smash and grab process as these attacks establish long-term residence on systems with command and control back to their source.

Industry reports show that hackers spend an average of 200+ days in compromised systems before they are detected.

Protecting sensitive data and intellectual property by trying to secure devices and networks is proven to be ineffective. Does that mean you should suspend your organisations perimeter defenses or the endpoint shields on your devices? Of course not. Instead, embrace the “presumption of breach” doctrine and look beyond traditional defenses.

I have been on the malware detection side of the IT Security game. Every year a new “It” product emerges that will solve everyone’s problems. Every year the breach counts increase. One year it was whitelisting that was going to save the world. That same year at SchmooCon there was a talk that presented three ways to beat the most popular whitelisting product.

There are other forces at work as well. Sensitive data and intellectual property are moving away from the gravitational center of IT security. Mobile devices, BYOD, the cloud and increasing requirements for extra-domain collaboration place data at further risk and make it harder for a pipes-and-platform strategy to work.

The ultimate end game of most attacks is the exfiltration of sensitive information or intellectual property. So, the lesson is – spend less time on perimeter defense, and develop a modern approach to security that protects the data itself.


So, your organisation has been breached. It’s okay – you have a lot of company. Figure out your next step – secure the data.

July 20, 2015