SANS Institute Whitepaper on Breach Avoidance

The Identity Theft Resource Center (IRTC) reports that in the first 6 months of 2018 companies in the United States publicly disclosed 668 instances of sensitive business and consumer information being compromised by cyber attacks. Adding that 22,408,258 records were exposed in these breaches. These breaches are a common subject of many media reports and according to the IRTC, occur on a daily basis. The threat is a major concern to every company. Big budgets are thrown at the problem in hopes of maintaining compliance with federal regulations and preserving the reputation of the company. Understanding the problem can not only secure sensitive information but can ensure the cost of protecting this data is cost effective.

John Pescatore of the SANS Institute partnered with Balbix, the provider of predictive breach avoidance platform, BreachControl™, to take a hard look at the weighty topics of cybersecurity, breach avoidance, and the importance of practical engagement to combat attacks without unnecessary stress to budgets.

In this whitepaper entitled, Breach Avoidance; It Can Be Done, It Needs to Be Done, Pescatore is optimistic in mentioning that “many businesses will manage to avoid significant breach this year. There are more than 18,000 companies with more than 500 employees in the U.S, meaning about 17,000 of them will have avoided a breach requiring disclosure in 2018”. He feels many will be able to avoid incidents with well-planned strategies to remove or mitigate the threat. He also enthusiastically points out that the total number of records exposed in 2018 is running 66% less than the last year. Showing improvements in the way these attacks are managed.

The SANS report expresses that “the bottom line is that breaches are not inevitable. There are proven techniques in use today by large and small companies with limited staff and budgets that can fend off or avoid most attacks and dramatically reduce the damage of attacks that do succeed.” We are advised that an example of such circumstances would be “organizations that emphasize proactive security efforts to reduce vulnerabilities in critical business assets being less likely to suffer major business damage than organizations that don’t have the skills and tools to prioritize and focus security efforts.”

Action Is the Magic Ingredient in Breach Avoidance

Balbix believes that “In today’s threat environment, eliminating risk and avoiding breaches requires enterprises to transition from focusing on their resources and efforts on responsively putting out fires to transforming their security practice in proactively implementing controls to predict and recognize real-world breach risk” by doing more than just being compliant.

Security teams have little influence regarding when an attack may occur. There is no way to predict when it will happen, from where it will come, or how it will happen. Security professionals can, however, reduce risk. They can enact preemptive measures and a framework to effectively manage the one element of the equation within their control.

This paper says that one of the keys to accomplishing risk reduction “is for security teams to understand business impact, be able to express risk in those terms, and be able to demonstrate how improvements in security result in a measurable reduction in business impact.” The suggested strategy is for teams to develop a real-time situational awareness of what really needs to be protected, what their vulnerabilities are, and what threats are active against their critical targets. Then deploy the proper tools and practices, prioritize prevention, mitigate attacks, and quickly respond to incidents, thereby reducing the damage to the business. The objective is to take the right proactive measures instead of simply adding costly, difficult to maintain, layers of security products.

Success Patterns for Breach Avoidance

In their research, SANS noted success patterns among security programs. Practices they employ to better face the challenges posed by a relentless digital piracy. Organizations which have been observed to have mitigated or even avoided threats have the following practices in common, according to the report.

  • Choose a cybersecurity framework to prioritize “Protect the Business”: by identifying real-world risks.
  • Institute continuous monitoring of assets: Security teams must know what they are protecting. Accurate inventories must be kept of the firm’s systems, hardware, applications, and users.
  • Map Against Real-world Threats and Business Context: Having a log of vulnerability alerts will satisfy audits. But it will also create a backlog for IT professionals. Identification of active threats and prioritizing them will enable analysts to justify the urgency of the issue.
  • Implementing and using updated “Playbooks” for Damage Avoidance: Implementation of up to date documentation of necessary actions in the event of the detection of an incident has proven effective for exposure reduction, breach avoidance, and damage minimization.

The SANS Institute report emphasizes the importance of having a security framework focused on tangible security, rather than on compliance. They support six critical security controls, as prescribed by the Center for Internet Security. “The first six CIS Controls essentially represent basic security hygiene”, and studies have shown that the vast majority of real-world attacks can be defeated when these controls are implemented effectively,” the report states. The controls as listed in this report are:

  • Inventory and control of hardware: Focusing on a complete and accurate inventory of what devices, operating systems, and applications are in use.
  • Inventory and control of Software Assets: Like the above control, this emphasizes the importance of having a clear understanding of what is in use by the company. Real-time discovery needs to be performed across the cloud, mobile, and IoT devices.
  • Continuous Vulnerability Management: Comprehensive, timely, and accurate assessment of which assets are vulnerable to known and active attack vectors.
  • Controlled Use of Administrative Privileges: Monitoring and controlling admin rights has proven to be highly effective in avoiding breaches.
  • Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers: Focus on having defined secure configuration baselines for each asset type and on capabilities to restore misconfigured assets to safe configurations.
  • Maintenance, Monitoring, and Analysis of Audit Logs:


Successful cybersecurity programs are utilizing profuse amounts of information available regarding threats and attacks that are active and applicable to their resources. They are integrating proactive processes that keep up with the “speed of business and evolution of attacks.” They concentrate resources to protect the most important assets, against the most dangerous potential threats. They are doing this with a common-sense approach to known problems as well as the continuous discovery of new threats as they develop. The SANS report and Balbix emphasize the need for a comprehensive framework that does more than just satisfy auditors. One that is proactive, rather than reactive, in avoiding breaches through accurate assessment and planning for success.

Click here to download your own copy of the Balbix sponsored SAN Institute Report.

By Cody Bowcut, Contributing Editor