There's a trend underway in the information security field to shift from a prevention mentality—in which organizations try to make the perimeter impenetrable and avoid breaches—to a focus on rapid detection, where they can quickly identify and mitigate threats.
There's a trend underway in the information security field to shift from a prevention mentality — in which organizations try to make the perimeter impenetrable and avoid breaches — to a focus on rapid detection, where they can quickly identify and mitigate threats.
Some vendors are already addressing this shift, and some security executives say it’s the best way to approach security in today’s environment. But there are potential pitfalls with putting too much emphasis on detection if it means cutting back on prevention efforts and resources.
Clearly, rapid detection is gaining traction. Research firm IDC has designated a new category for products that can detect stealthy malware-based attacks designed for cyber-espionage ("Specialized Threat Analysis and Protection”) and expects the market to grow from about $200 million worldwide in 2012 to $1.17 billion by 2017.
The thinking behind a shift in security approach is that it’s impossible to keep out everything, so companies should focus on quickly detecting and mitigating threats. While it doesn’t mean abandoning prevention, it suggests companies devote more resources to detection and remediation than they have in the past, with the understanding that breaches are going to happen.
+ MORE ON NETWORK WORLD See the entire list of Outlook stories +
“Prevention is a great strategy when it works. But unfortunately no preventative measure can be completely effective,” says Timothy Ryan, managing director of the Cyber Investigations practice at Kroll Advisory Solutions, a provider of risk mitigation products and services.
“For that reason, companies cannot rely on prevention and protection alone,” Ryan says. They must also rely on an information security plan that blends technology and processes to identify and respond to compromises quickly. The right tools and processes often reduce the time and cost of an investigation, he says.
There cannot be an 'either/or' approach to prevention and rapid detection. The vast majority of organizations must do both.
— Ed Powers, national managing principal, security and privacy, at consulting firm Deloitte
“Rapid detection and efficient, effective response is the new prevention,” says David Scholtz, CEO of Damballa, a security technology provider. “The mindshift here is what's being prevented. We can no longer prevent our networks and systems from becoming infected, but we can prevent those infections from growing and evolving to become damaging breaches.”
Organizations can do this by discovering threats that successfully bypass layers of prevention and cutting them down before they do damage, Scholtz says. “Today, you can continue to add prevention-based solutions to an already fortified yet disappearing perimeter, but it's the small percentage of threats that get through that then equate to 100% of your risk,” he says.
Cyber criminals are using more sophisticated methods to evade detection, Scholtz says. “They are leveraging these methods precisely because they can easily switch attack vector, or slightly tweak their malware, and instantly they're again undetectable by traditional prevention methods,” he says.
It doesn't matter if an intruder is a trusted insider or a meticulous attacker who has engineered a way in through persistent and crafty means, says Vincent Berk, CEO of FlowTraq, a network security provider. “The bottom line is that hackers are already in your network,” he says. “Once businesses reach this realization, they will automatically start shifting their defensive philosophy from perimeter defense to defense-in-depth.”
This shift in thinking puts more emphasis on careful collection of system logs and traffic records, and focuses on detecting what’s unusual in the network, Berk says. “Large data transfers, unusual access patterns or reconnaissance behavior are all signs of somebody already on the inside searching for the crown jewels,” he says.
But not everyone thinks the shift in security mindset is a good idea.
“I think the idea of switching from a prevention strategy to a detection one is a false dichotomy,” says Wendy Nather, research director, security, at 451 Research. “First of all, because prevention tends to be more automated and therefore cheaper than detection. Second, because detection is just as imperfect as prevention. People may complain that antivirus misses a lot of malware, but so do intrusion detection systems. Firewalls and SIEMs are only as good as the experts who configure them, no matter which ‘generation’ they purport to be.”
Many products that are seen as “prevention” actually rely on detection to work, Nather adds, whether it's through signatures, blacklists, rules, heuristics, or other algorithms. “You're looking for specific patterns, either in the data or in the behavior, and taking actions based on what you detect.”
Preventive measures such as whitelisting and mitigating known vulnerabilities “are always going to be just as important as detection,” Nather says. “Giving up on prevention because it can't be done perfectly is a very narrow mindset that security professionals can't afford.”
Prevention “continues to be the top priority for defenders,” adds Wolfgang Kandek, CTO at Qualys, a security platform provider. “The major shift is that the perimeter has dissolved. Today, workstations are as much under direct attack as are Internet-connected servers, and they need to be protected wherever they are, inside the enterprise network, at the user's home, hotels, airports and coffee shops.”
Detection is best used after a comprehensive prevention strategy has been implemented, to go after the advanced threats that make it through even though all preventive steps have been taken, Kandek says. “In a network that has no-to-little preventive technology, detection will get flooded with alerts that will quickly overwhelm IT capabilities to follow up and investigate each alert,” he says.
Many experts say there should ideally be a mix, with organizations giving equal emphasis to prevention and detection.
“There cannot be an ‘either/or’ approach to prevention and rapid detection,” says Ed Powers, national managing principal, security and privacy, at consulting firm Deloitte. “The vast majority of organizations must do both.”
This is because enterprises continually introduce new cyber risks, Powers says. In addition, malicious actors are unrelenting in exploiting these changes, resulting in the rapid evolution of threats — many of which can’t be detected by traditional preventive means.
“At the same time, today’s large organizations are highly complex, and there are practical limits on the resources that can be ‘thrown at’ the problem,” Powers says. “The only feasible option in this environment is to recognize that it is not feasible to afford the same degree of protection to all assets, or to treat all risk factors as being equal.”
According to the Global State of Information Security Survey 2014 by CIO and CSO Magazines and consulting firm PwC, security breaches are increasing. The average respondent had 2,562 incidents that threatened some aspect of computer security two years ago, and this rose to 3,741 in 2013.
“Not all those are impactful, but with that type of volume, some are going to get through and you do need to be able to detect and respond,” says Mark Lobel, principal in PwC’s security advisory practice. “That’s why there needs to be a balance between prevention and detection/response — not just one or the other.”
Companies shouldn’t “abandon their prevention mindset in lieu of rapid detection and effective response,” adds John South, CSO at Heartland Payment Systems, a large payments processor. “In fact, I would argue that each of these support each other in an effective security strategy, given the capabilities of the attackers. We still have to provide the defense in depth — the castle walls, tripwires and alerts—that we have provided in the past to protect our environments.”
The change in thinking today should be that while prevention capabilities are in place and working effectively, the rapid detection of anomalous activity needs to increase, South says. “In effect, our mean time to detection (MTD) needs to decrease from months to minutes,” he says. “Depending on whose statistics you read today, the average MTD ranges from 100 to 180 days or more, giving the attackers the distinct advantage of time.”
There are hardware solutions and applications available to help companies detect attacks, South says, but “it is difficult — and in some cases impossible — for an entity to protect itself using only its own resources and personnel. With the sophistication of the attackers, it is difficult to reduce the signal-to-noise enough to detect the anomalous activity among all of the other network activity. One essential element that can assist in early prevention and detection is information and intelligence sharing.”
Indeed, going forward companies might find themselves sharing more information about security. For years, organizations kept their security information secret from others under the philosophy that weaknesses could be used as a business advantage against them, South says. “This led to environments where the only source of intelligence about who was attacking you was the attacks themselves,” he says.
The financial services industry, working with the Financial Services Information Sharing and Analysis Center (FS-ISAC), has developed a model for companies to participate in and consume the intelligence gathered by many financial institutions, South says.
“This extends organizations' ability to see potential threats before they hit their networks,” South says.
Bob Violino is a freelance writer. He can be reached at firstname.lastname@example.org.