One of the big developments at the jam-packed RSA conference was the security industries focus on “visibility.” The context here is that you cannot defend against what you don’t know, and that even when you know it you need to understand the “context”, e.g., the order of magnitude of the type of risk exposed, in order to decide how best to mitigate it. In addition, there is the issue of speed/awareness in a world where real-time in many ways is the only time, although there was also a lot of attention paid to the use of big data to proactively get ahead of the bad actors by anticipating both the nature of attacks and the best counter-measure to use against them. 

In fact, from various quarters there were announcements about how to get a better view of things. This was particularly true in regards to such the pernicious impacts that the two biggest weapons of choice by bad actors on a global basis, Advanced Persistent Threats (ATPs) and Distributed Denial of Service (DDoS) attacks, so everyone knows the answer to the question “what’s up?”

However, the issue is not just about watching and reacting, hopefully quickly. As noted above, the very nature of the dynamism of the types of attacks means that the industry needs to come up with a way to classify and index them. The value should not be discounted. This is because when it comes to risk management, executives need to be able to develop a holistic and layered strategy so they can wisely spend scarce resources based on the severity, frequency and risks of various types of attacks in terms of their impacts on the enterprise. 

It is for precisely this reason that SafeNet, Inc., one of the largest information security companies in the world that protects information throughout its lifecycle, joined forces with IT-Harvest, an industry analyst firm founded by Richard Stiennon, to develop a Breach Level Index (BLI). In simple terms, the index is designed assign a single number to quantify the severity and magnitude of a data breach. The goals are:

• Enable security professionals and general public to leverage the Breach Level Index to better understand the severity of a data breach and its potential impact
• Serve as a benchmark for the industry and help security professionals objectively monitor the progression of breaches and utilize the data for better risk assessment
• Obtain industry recognition about the value of the Index so that comprehensive information can be developed, disseminated and turned into actionable insights.

The idea is that all boats do in fact rise when the tide comes in and the cooperation on the creation, constant updating and availability of the Index is good for everyone. 

Facts matter

The Breach Level Index is intended to not only serve as a benchmark for the industry, but to help Chief Information and Chief Security Officers (CIOs and CSOs) classify the severity of a breach as well as utilize the data in their own risk assessment and planning.

“It is not realistic today to expect enterprises to be able to prevent intruders and insiders from penetrating perimeter defenses and accessing IT resources,” IT-Harvest’s Stiennon. “In a world where breaches are a given, we need to raise the level of discussion to ‘how severe was the breach?’ We developed the Breach Level Index to be a classification tool that enables this level of discussion and better empower security industry professionals to detect and prevent future breaches.”

SafeNet president and CEO Dave Hansen at RSA told me that, “We are asking all members of the security industry to be actively involved in the development of the BLI. Knowledge is power, and being able to not just get better perspective on risks but be able to use that information to effectuate and implement best practices to better protect high value assets is critical given the speed and severity of today’s cyber threats.” 

A brief primer on the Breach Level Index

The SafeNet IT-Harvest collaboration developed and algorithmic formula to determine breach severity.  The BLI factors a wide variety of inputs, including:

• Data type
• Number of records stolen
• Breach source
• Whether or not the high value data remained secure post breach

The inputs are then processed through an algorithm that produces an index number consistent with the Saffir-Simpson hurricane scale: 1 being least severe and 10 being most severe. The scale is open ended (no upper limit) and logarithmic (base 10). For those unfamiliar with such scales, the level of severity the higher the number is not a step function. In other words, as the explanation of BLI details, a score of 7, for instance, is 100 times more severe than a score of 5.  

To put this in context, and emphasize the need for such a tool, in introducing the BLI, it was noted that the recent TJX Companies Inc. breach was a 9.1 level breach and the Heartland Payment Systems breach was a 9.3 level breach.

In our discussion, Hansen reiterated his public observation that, “While the volume of breaches continues to increase, it is critical to keep in mind that not all breaches are created equal in terms of the level of severity and damage that they impose on organizations and their customers.”  He added, a thought echoed throughout the event that there is, “a new, complex and dynamic threat landscape, which is mandating the need for new tools like the BLI.” 

The themes of complexity, dynamism and recognition that there is no failsafe solution or amount of expenditure that can protect an enterprise 100 percent in what I have called, “The Age of Acceleration”—where the only constants are change and the speed at which it is accelerating—is why the BLI, if it gains the traction it deserves, can be extremely valuable. In fact, for a full explanation of the methodology employed, a whitepaper is available at here and here. 

While the word “triage” tends to have negative connotations, the facts are that CIOs and CSOs everyday have choices to make about what risk mitigation measures to use in the protection of their people, processes, systems and critical information (how it is created, stored, accessed and when it is on the fly). The goal is obviously to get maximum protection based on a risk assessment that enables planning mitigation on a strategy that is layered. However, this cannot be done without knowing a lot more about the context of the risks being faced, and that is why hopefully the BLI gets the attention it warrants, and the industry support it needs.