The Price of Caring About “Evidence”

Red Canary

Share this Project

In 2012 one of the offices in the government of the State of South Carolina suffered a digital breach. Reporting at the time estimated that the total cost of the breach was $14m, with incident response costs alone estimates at $500,000.

The 2013 NetDiligence survey of data breach insurance payouts reports that of the 140 claims submitted to insurers, 88 reported claims payouts. Of the $84m in total payouts, roughly half was spent on crisis services (IR, forensics, victim notification, etc.). The largest payout for crisis services was $11.5m, while the average payout was just over $700,000.

There are a number of reasons why IR is so expensive. Focus on the “crisis services” part as the insurance industry does and think about what it entails: logs have to be collected, aggregated and analyzed; people need to be interviewed; IOCs need to be searched for; infected systems need to be pulled off-line and imaged; forensics needs to be employed to search for breach details…all of this done by subject matter experts that bill north of $400/hour and have to fly in from out of town.

The practice of IR can trace its roots to the government and in particular law enforcement. Look at the bios of every long-serving and well-respective name in IR and they all tend to have one thing in common: they’re former federal agents who specialized in computer crime investigations. That’s an awesome credential and base of experience, but what is that law enforcement background doing for you?

I can tell you what it isn’t doing: accelerating detection or driving down costs.

Listen to the language your consulting IR team uses. You tend to hear the word “evidence” a lot, which would be great if you were interested in going to court: odds are you are not. The search for evidence is expensive and disruptive and can have almost as negative impact on your business as the breach itself. If you’re like the customers we support, you just want the pain to stop so you can get back to work; a law enforcement-centric approach doesn’t help you do that…at least not in a timely fashion.

We approach the problem from a different angle. We’re constantly gathering factual, irrefutable data about what happens across your enterprise: a comprehensive picture of precisely what happens as it happens, not odds-and-ends found weeks or months after the fact. Rather than present you with a theory of what happened long after your valuable data is gone, we identify and can address root causes in minutes. We are not exactly “pre-crime” but we are most certainly not post-mortem.

What does this change in approach to IR mean for you? No one can promise that you’ll never be breached again, but we can promise that the days expensive and disruptive IR engagements are over. Because of the insight we have our customers know more about what is happening on their systems faster. They find that the overall need for security expertise is more consistent, without the wild swings of thinking everything is OK, and then panic when it is clear things have not been OK for months on end.

There may be times when you need to follow the detailed, tried and trusted methodology for IR, and we can certainly provide more than enough meaningful data to support whatever approach to hacks and breaches you need to adhere to, but there is no reason to adhere to a methodology that doesn’t accomplish your goals just because that’s how everyone else is doing it.

When you’re ready to learn more let us know.