Breaches: Avoiding 'Victim's Fatigue'Kevin Mandia Warns Against Letting Guard Down
"It's startling that it got that way," he said in a Feb. 27 keynote address at the RSA Conference 2014 in San Francisco.
Mandia offered a variation of the old saw about two types of organizations: those that have been breached and those that don't know it.
"If you're an F in cybersecurity or an A in cybersecurity, an attack has the same chance of being successful," Mandia said. "If you're an F in cybersecurity, you never find out and your boss says, 'Whew, nothing happened.'"
Organizations with a grade of A will learn from their experiences and take steps to mitigate future breaches, he says. But unfortunately, many of these organizations soon become vulnerable again.
Here's how Mandia put it: Victims of cyber-attacks expand their IT security teams shortly after the breach and aggressively combat the attackers. Six months later, after no new breaches occur, management thinks, "You know, we don't have to do this stuff anymore." The top cybersecurity experts hired to prevent future breaches get bored and move onto more challenging jobs. Then, the company gets breached again.
He characterized this syndrome of companies letting their guard down as "victim's fatigue."
Mandia said it isn't that cyber-assailants are smarter than IT security pros hired to safeguard systems. But attackers need only to break into one device, whereas IT security specialists need to protect thousands of devices. "It's easier to shatter crystal than to shape it," he said.
Mandiant, acquired for more than $1 billion in December by FireEye, came to prominence a year ago when it released a report directly implicating the Chinese military in cyber-espionage (see 6 Types of Data Chinese Hackers Pilfer).
In his address, Mandia revealed that his firm had intercepted resumes of members of the Chinese attack team bragging about their assaults on Western organizations.