Tuesday, February 11, 2020

The Transmission Curve

Imagine everything your company does, but in terms of a RAR file. Every document, and email, and VOIP-call, and Teams message, every password and LDAP entry, every piece of source code in the git repo, and webex, and document scan, and database of PII, and Salesforce spreadsheet. Everything, no matter how trivial, related to the running of your company. If you're a five hundred person company, let's say that you generate about a Petabyte worth of information per year. This is dominated by useless webex video conference calls, which a hacker could not care less about. A more realistic total cost of ownership (TC0), in terms of bytes, for a five hundred person company for one decade, is 35 Terabytes (I backed this up with some real-world information and some calculations which I can share as needed - this includes all emails, documents, source code, and phone calls, but no video).

That is currently just over a month of downloading for our hacker friends - but we will be nice and say they only download data at night (aka, 1/3 the time). Also, a month is a very long time to be "on target" but download size is basically static over the years and the time is pressured down by increasing network speeds. If you are in the ever growing box-of-pain (see below) then every time you get hacked, your entire company's IP value walks out the door.

Everything in this graph is either my estimate or Crowdstrike's but just understand that as speeds go up, and corporate IP size remains static, the odds of any hacked company being completely downloaded before you catch the pesky hacker goes to 1.

Hackers or signals intelligence agencies deal with this question every day in a different form, because 99% of what you see on most networks is useless porn and Windows updates. You want to filter that out on-site and then only send back the good stuff. But as network speeds go up, and storage costs go down, it's often easier to download everything and sort through it later. This is of course similar to the problem a certain large SIGINT group reportedly had.

Following this curve is why I think the Endpoint Security people's 1/10/60 minute rule is ridiculous, and why humans in the loop for security response are also hilarious. Ask yourself, at what speed of network does your company enter the box of pain before 60 minutes is up?

1 comment:

  1. Hi Dave, interesting thought. I like the idea of information size being a bounds for detection and response time. However, how do you account for collecting all of that information? Do you assume that everything is backed up, and the intruder is just downloading it from the central backup server?