The blog below was originally penned in March of 2012…nearly 2 years later and the security industry is not only still consumed with the wrong way of thinking, it is doubling down on the failed idea of “Detection is the New Prevention” – the thoughts here are being shared again as they support the blog post we released just 10 days ago on the topic…
How many more breaches must we discover days, weeks, months or years too late? How many more millions of credit cards and identities stolen? How many more billions in lost Intellectual Property before we realize that rapidly discovering a breach isn’t security – it is crime scene investigation??
Rethinking Security: Moving from Post Facto Breach Analysis to Detection | Prevention | Pre-Breach Forensics
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
Thoughts from March 2012…
It’s more important than ever for a mentality shift in the security industry. We’ve allowed ourselves to fall victim to a lost decade in innovation and have become mired in what Invincea calls the security insanity cycle. With each new disclosure of massive pwnage across corporate, government and even security industry networks, we collectively become more and more cynical about our potential for getting a leg up on our adversaries. With a shortage of innovative solutions to stop the breach, we’ve evolved – or devolved – our focus away from roles as sentries of the network and toward those of crime scene analysts. We’ve been taught by repeated assertion from those that benefit from remediation and network forensic professional services that the breach cannot be stopped… and that detection is the new prevention. We can’t blame our fellow security professionals for their cynicism. The truth is that the prevention security industry has utterly failed us; failed our governments, corporations, and citizens. Because reactive list-based approaches can no longer stop the threat, the logical conclusion drawn and promulgated is… at best you can only attempt to detect the intruder in your network. In other words, the white flag has been raised, the network has been ceded, and instead of keeping the intruder off your network – you must lower the drawbridge, close your eyes, count to ten, and then try and figure out where they are hiding.
The InfoSec “Humpty Dumpty” Syndrome
The dawn of the Advanced Persistent Threat (or at least the use of the moniker) has fueled our cynicism and brought about a defeatist mentality within our community – a sort of Humpty Dumpty syndrome, where we are the “Kings Men” and our networks the fabled egg. The calculus has gone something like this – if our users are the targets and we cannot train away natural human psychology; and our preventative technologies are dependent upon knowing the threat signature a priori to thwart attack; and our adversaries are using custom attacks, zero-days, and polymorphic techniques to make signatures obsolete, then prevention is not only a failed strategy, but must be abandoned. Instead, focus your efforts and investments on training, people, and technologies to discover the intruder after the breach happens. Some have even blogged that the average intruder isn’t so smart, that it takes them six days to begin to mine the network for data. So in other words, with a six-day window, you can hope to find them in your network before they cause damage. We should all be so fortunate to get the C team breaching our network! While their intentions are well-meaning and their cynicism well-founded, what the post-breach security industry isn’t telling you is that the dollars you spend on post-breach forensics (detection of the intruder on your network and remediation) are the most expensive dollars you can spend. Once you have discovered the threat is on your network, you now are in a very human-intensive operation to find and eradicate the threat, while ascertaining what intellectual property and corporate secrets may have already leaked. Once the secrets have leaked, or the email archive published, there is no bringing it back. Whether your window is six days or six minutes, the resulting cost to the business is staggering in terms of clean-up activities, and also in terms of damage to the business and long-term competitive threats.
The Rise of the Crime Scene Analyst
This mindset has given rise to a new set of technologies focused on deep dive forensic analysis – i.e., full packet capture, deep packet inspection, log analysis, and indicators of compromise on end points. While these technologies are critical for the core of our defense in-depth strategies, and help us meet requirements for continuous monitoring, the value they deliver is post-facto identification of breach. To be clear, everyone should have a post-facto breach strategy. Planning for failure of your defenses is a necessary activity for risk mitigation. One you hopefully never have to use. However, ceding the network to the adversary by failing to invest in modern prevention techniques plays into the adversary’s hands. Finding the adversary is a cat-and-mouse game of finding the latest backdoor or unusual protocol they are using to leak your data.
If we are willing to accept the assertion that we will never be able to keep our adversaries out of our networks, then a wholesale shift to forensic analysis is warranted. However, if we accept this assertion, we have done something that runs counter to our core fabric as Americans – we’ve admitted defeat. If we accept this defeatist mentality, we’re conceding our networks to our adversaries and may as well pack up and ship all of our industries overseas. Conceding the network is tantamount to giving up our economic future as our future innovations and jobs depend on the ability to keep our adversaries from stealing our intellectual property.
We aren’t trying to vilify a focus on forensics. Forensic information is a critical piece in network security, as it provides the necessary answers to understanding the threats we face. This deep dive information gives insight into “the who” — as much as it can be determined — what, when, where and how related to the motives and activities of our adversaries. However, an over emphasis on forensic investigation detracts us from our core mission – keeping the adversaries out of the network in the first place. Ask yourself — is our mission to be security guards who prevent the crime from occurring or eye-witnesses describing the actions of the perpetrators after the fact? Do you want to prevent the crime or report on what was taken and how?
Breaking Free from the Security Insanity Cycle
To break free from this security insanity cycle we must become serious about innovation in prevention. We know the adversary targets the user – the human layer of the network. Depending on users to make the correct decision every time on every email and URL is an untenable security protocol. Instead, we need to give users the tools they need to be online without the fear that they will infect the network by focusing on detection, prevention, and pre-breach forensics.
So what can we do to protect the network from the user and the user from himself? As a highly respected security and risk analyst recently put it, “let’s focus on containing the contaminant.” By segregating the untrusted content users come in contact with from the operating systems that run the untrusted content, we can protect the network while users interact with online content. The implementation is straight forward – anytime a user interacts with content from the Internet, be it in a browser, an email attachment, or application that renders content from the Internet, virtualize the application and content the user interacts with in a non-persistent virtual environment. If the content is malicious it infects a disposable environment, not the desktop. If the user makes a poor decision, the consequences of that decision are instantly reversed with no damage to the system or loss of data. By moving away from signature-based detection to a focus on behavioral and heuristics-based detection, we can stop zero-days in their tracks. In fact, the distinction between zero-days and known attacks goes away, making the term zero-day quaint. By putting our adversaries in a virtual fishbowl every time a user clicks on a malicious link or attachment, we can capture forensic detail related to the intent of the adversary – making pre-breach analysis possible and lessening the need for expensive post-breach response.
The new prevention reality is more than imaginable – it’s here now. Today your adversaries are collecting intel on you while you try and find them. Tomorrow you could be collecting intel on your adversaries as they show their exploits in virtual fishbowls with each user interaction. Today, your users are your liabilities as they infect your network by doing what users do – clicking on links and opening attachments. Tomorrow, your users could be your security deputies – providing you with pre-breach forensic details on every exploit that you can use to block the adversary at the network perimeter. You now have the power to look your adversaries in the face and let them know you mean business about fighting back. You have the power to prevent the breach, not just report on the crime.
The question is – will you?