Breach Prevention or Breach Mitigation

By Trevor Morgan, product manager at comforte AG

I’d like to pose the following question. Should you try to prevent a negative event from happening, or should your focus rather be on developing a mitigation plan and steps to reduce any negative effects or fallout from taking place?

This is a question that many security professionals and business decision-makers face in the modern digital world, but we also see this type of decision-making in all walks of life. For example, when you buy a new car, do you do everything in your power to prevent any damage or wear and tear to it, like keeping it safely in the garage 24/7? Or do you get the best-in-class insurance policy to cover any potential repairs as a way of mitigating accidents? In most aspects of life, we wind up having to make a choice between incident prevention and incident mitigation. Sometimes it makes more sense to try to prevent incidents, while at other times mitigation is the best and most logical option. Which one is right? Well, it just depends.

In the cybersecurity world, CISOs and business decision-makers face this question on a regular basis as they look to protect the valuable information and data within their enterprises. Data is a highly strategic asset, and most organizations collect, process, and store vast quantities of highly sensitive PII and PHI within their information ecosystems as a course of doing business. Data actually drives most businesses, and without it business leaders cannot make informed decisions or innovate with appealing products and services, or create efficiencies within their operations. While data has long been viewed as a valuable business asset, only in the last decade or so have steps been taken to effectively regulate how organizations handle and protect it highly sensitive consumer data. Consider the current importance of data security and privacy regulations such as GDPR, CCPA, and HIPAA.

Cybercriminals are continuously coming up with new and crafty methods to steal sensitive information, and should they succeed, it would cause catastrophic damage for any enterprise. The company in question would certainly suffer brand reputation damage, negative publicity, lawsuits, and severe penalties from the governing bodies and authorities that strictly impose data privacy rules.

The question of breach prevention or breach mitigation is one that security leaders must think through thoroughly. What is the best course of action for the business? Should they invest in a breach prevention strategy to try to block cybercriminals out completely (never a 100% fool-proof option), or is breach mitigation the right course of action, so that if threat actors do get access to sensitive information, they can’t read it, comprehend it, or do anything with it?

Both breach prevention and mitigation have merit, but it shouldn’t be a case of sacrificing one to emphasize the other – you should implement both as part of a comprehensive cybersecurity posture.

Over the past two years in the midst of the pandemic, we have witnessed a plethora of attacks directed against enterprises by compromising cloud-based services and tricking the workforce through social engineering tactics (such as phishing). You would think that we could protect against these well-known tactics and methods, but in reality organizations are finding them harder to defend against. Hackers are nefarious people who are persistent, patient, ingenious, and cunning. With enough resources, they can find a way around practically any perimeter defense. Remember, no single silver bullet to cybersecurity exists, and we must accept the fact that keeping threat actors out 100% of the time is unrealistic (and that’s not even accounting for inside jobs). Effective security requires multiple layers of defenses in order to keep an organization’s data and IT systems safe and secure.

Here’s an analogy: think about how medieval European castles were constructed with the various breach prevention methods in place, including inner walls, moats, winding-staircase chokepoints, and drawbridges to halt the advance of attackers. If you delve a little deeper into castle defenses, you see how breach prevention actually paved the way for breach mitigation with hidden exits, secret passages, and general misdirection to help individuals escape the onslaught of attackers, living to fight another day. The outer walls clearly serve as first-line breach prevention—a secret passage behind the throne that allows royalty to escape acts as last-line breach mitigation measure. Both working in tandem obviously are much better than just implementing one or the other.

Apply this analogy to your overall cybersecurity strategy. Suffering a cyberattack is now a matter of when, not if, regardless of the security and resources you’ve instituted. Adopt the notion that your IT environment has already been breached and the data within it might be in the process of being compromised. These are a few of the core principles of the Zero Trust model, which stresses denying implicit trust to a user or entity simply based on location within your network environment. Your focus must shift from solely breach prevention to breach mitigation as well. So, how can you ensure any negative repercussions are minimal, especially if a hacker finds a way into your network? How do you mitigate the attack if breach prevention doesn’t actually stop it?

The answer is data-centric security, which applies stringent protection controls on the data itself, instead of focusing on the data’s perimeters or environmental concerns surrounding your data. You’ve probably heard of data encryption, which is one form of data-centric security. Tokenization is another data-centric protection method that works well as a breach-mitigation layer. By replacing sensitive data elements with representational tokens, the overall data format remains intact without having the real (and really sensitive) values in plain text.

This way, if threat actors were to compromise your network and data environment and gain access to sensitive information, they would be unable to decipher its true meaning and value. Wherever the data resides, it remains in a protected state while still being usable within business applications, for critical activities such as data analytics. Furthermore, when combined with effective data discovery, data classification, and data lineage tracing in a platform approach, tokenization can prevent a successful intrusion from becoming a full-blown PR nightmare. If threat actors can’t read the data, understand the sensitive information, or leverage any of it for gain, then the threat is neutralized. It also means the company remains compliant with data privacy and security laws.

In recent years, we’ve witnessed high-profile data breaches plaguing many well-known brands. You may be worried that your organization might be next, and not to be alarmist but you probably should be. Ensure you have the required security defenses in place as a preventative measure, but also implement data-centric security to mitigate the impact of any breach if threat actors get their hands on your data. If they can’t leverage your data or compromise it in any way, then chances are the fallout will be minimal.

By Trevor Morgan, product manager at comforte AG

I’d like to pose the following question. Should you try to prevent a negative event from happening, or should your focus rather be on developing a mitigation plan and steps to reduce any negative effects or fallout from taking place?

This is a question that many security professionals and business decision-makers face in the modern digital world, but we also see this type of decision-making in all walks of life. For example, when you buy a new car, do you do everything in your power to prevent any damage or wear and tear to it, like keeping it safely in the garage 24/7? Or do you get the best-in-class insurance policy to cover any potential repairs as a way of mitigating accidents? In most aspects of life, we wind up having to make a choice between incident prevention and incident mitigation. Sometimes it makes more sense to try to prevent incidents, while at other times mitigation is the best and most logical option. Which one is right? Well, it just depends.

In the cybersecurity world, CISOs and business decision-makers face this question on a regular basis as they look to protect the valuable information and data within their enterprises. Data is a highly strategic asset, and most organizations collect, process, and store vast quantities of highly sensitive PII and PHI within their information ecosystems as a course of doing business. Data actually drives most businesses, and without it business leaders cannot make informed decisions or innovate with appealing products and services, or create efficiencies within their operations. While data has long been viewed as a valuable business asset, only in the last decade or so have steps been taken to effectively regulate how organizations handle and protect it highly sensitive consumer data. Consider the current importance of data security and privacy regulations such as GDPR, CCPA, and HIPAA.

Cybercriminals are continuously coming up with new and crafty methods to steal sensitive information, and should they succeed, it would cause catastrophic damage for any enterprise. The company in question would certainly suffer brand reputation damage, negative publicity, lawsuits, and severe penalties from the governing bodies and authorities that strictly impose data privacy rules.

The question of breach prevention or breach mitigation is one that security leaders must think through thoroughly. What is the best course of action for the business? Should they invest in a breach prevention strategy to try to block cybercriminals out completely (never a 100% fool-proof option), or is breach mitigation the right course of action, so that if threat actors do get access to sensitive information, they can’t read it, comprehend it, or do anything with it?

Both breach prevention and mitigation have merit, but it shouldn’t be a case of sacrificing one to emphasize the other – you should implement both as part of a comprehensive cybersecurity posture.

Over the past two years in the midst of the pandemic, we have witnessed a plethora of attacks directed against enterprises by compromising cloud-based services and tricking the workforce through social engineering tactics (such as phishing). You would think that we could protect against these well-known tactics and methods, but in reality organizations are finding them harder to defend against. Hackers are nefarious people who are persistent, patient, ingenious, and cunning. With enough resources, they can find a way around practically any perimeter defense. Remember, no single silver bullet to cybersecurity exists, and we must accept the fact that keeping threat actors out 100% of the time is unrealistic (and that’s not even accounting for inside jobs). Effective security requires multiple layers of defenses in order to keep an organization’s data and IT systems safe and secure.

Here’s an analogy: think about how medieval European castles were constructed with the various breach prevention methods in place, including inner walls, moats, winding-staircase chokepoints, and drawbridges to halt the advance of attackers. If you delve a little deeper into castle defenses, you see how breach prevention actually paved the way for breach mitigation with hidden exits, secret passages, and general misdirection to help individuals escape the onslaught of attackers, living to fight another day. The outer walls clearly serve as first-line breach prevention—a secret passage behind the throne that allows royalty to escape acts as last-line breach mitigation measure. Both working in tandem obviously are much better than just implementing one or the other.

Apply this analogy to your overall cybersecurity strategy. Suffering a cyberattack is now a matter of when, not if, regardless of the security and resources you’ve instituted. Adopt the notion that your IT environment has already been breached and the data within it might be in the process of being compromised. These are a few of the core principles of the Zero Trust model, which stresses denying implicit trust to a user or entity simply based on location within your network environment. Your focus must shift from solely breach prevention to breach mitigation as well. So, how can you ensure any negative repercussions are minimal, especially if a hacker finds a way into your network? How do you mitigate the attack if breach prevention doesn’t actually stop it?

The answer is data-centric security, which applies stringent protection controls on the data itself, instead of focusing on the data’s perimeters or environmental concerns surrounding your data. You’ve probably heard of data encryption, which is one form of data-centric security. Tokenization is another data-centric protection method that works well as a breach-mitigation layer. By replacing sensitive data elements with representational tokens, the overall data format remains intact without having the real (and really sensitive) values in plain text.

This way, if threat actors were to compromise your network and data environment and gain access to sensitive information, they would be unable to decipher its true meaning and value. Wherever the data resides, it remains in a protected state while still being usable within business applications, for critical activities such as data analytics. Furthermore, when combined with effective data discovery, data classification, and data lineage tracing in a platform approach, tokenization can prevent a successful intrusion from becoming a full-blown PR nightmare. If threat actors can’t read the data, understand the sensitive information, or leverage any of it for gain, then the threat is neutralized. It also means the company remains compliant with data privacy and security laws.

In recent years, we’ve witnessed high-profile data breaches plaguing many well-known brands. You may be worried that your organization might be next, and not to be alarmist but you probably should be. Ensure you have the required security defenses in place as a preventative measure, but also implement data-centric security to mitigate the impact of any breach if threat actors get their hands on your data. If they can’t leverage your data or compromise it in any way, then chances are the fallout will be minimal.