Given the booming state of the cybersecurity market, industry rhetoric is at an all-time high. One of the more nonsensical infosec banalities goes something like this: Cybersecurity has always been anchored by incident prevention technologies like AV software, firewalls, and IDS/IPS systems, but sophisticated cyber-adversaries have become extremely adept at circumventing status quo security controls. Therefore, organizations should give up on prevention and focus all their attention on incident detection and response.
Now, I certainly get the logic of this platitude. Yes, the bad guys do know how to get around our defenses and organizations should in fact improve their detection and response capabilities. But abandon or minimize incident prevention? Poppycock!
Attention Sand Hill Road: The "put all your eggs in detection/response" message is extremely naïve and will kill your credibility with experienced cybersecurity professionals.
Prevention alone won't work, but I'm reminded of the colloquial tale of the two men walking in the woods who spot a bear and start running. When one man exclaims to the other, "we can't possibly outrun the bear," the other retorts, "I'm not trying to outrun the bear, I'm trying to outrun you." In other words, incident prevention isn't intended to build an impenetrable wall around the network, the goal here is to make things as difficult as possible for cyber-adversaries.
In my humble opinion, incident prevention is more important now than ever, and enterprise organizations still need to dedicate ample resources to this effort. Rather than "peanut butter" security controls across the network however, CISOs need to adopt processes and controls for advanced prevention.
What is advanced prevention? Think of more granular security controls based upon things like users, roles, connections, and changes in IT risk. So rather than static rules, configurations and controls, advanced prevention is dynamic as it changes based upon new threats, vulnerabilities, use cases, and business process requirements.
My notion of advanced prevention may still be a bit opaque, so here are a few examples of advanced prevention in action:
- Application controls. Servers and fixed-function endpoints like POS systems and hospital workstations should be instrumented with applications controls from vendors like Bit9, Digital Guardian, Kaspersky Lab, and Intel Security (McAfee). After all, these systems are used for specific tasks that use approved software so there may never be a need to install a new executable.
- Network Access Controls. We've been talking about NAC for 10 years but with technology from Bradford Networks, Cisco, Extreme, and ForeScout, NAC is now ready for primetime. NAC can be used to check the health of endpoint devices, restrict users and endpoints to specific applications and services, and quarantine systems that exhibit suspicious behavior.
- Network segmentation. Think of NAC and network segmentation as kissing cousins as they can be used in concert to limit users and devices to virtual chunks of the enterprise network. OK, I know that network segmentation has been rather cumbersome in the past, but burgeoning technologies like Cisco TrustSec, NFV, SDN, and VMware NSX should enable programmable micro-segmentation over the next few years. This will enable organizations to carve up the network for workgroups, applications, remote users, etc. and do so on-demand. So network segmentation has the potential to limit the attack surface dynamically and substantially.
- Automated remediation based upon threat intelligence. Yeah, this can be difficult too but vendors like Blue Coat, Fortinet, Palo Alto Networks, Symantec, and Trend Micro integrate products and threat intelligence services to automatically update rule sets based upon "in-the-wild" malicious activities. Sophisticated cybersecurity shops can also correlate threat intelligence feeds, enrich the data, and develop threat scoring algorithms to help CISOs prioritize remediation actions. Norse, a threat intelligence vendor, actually includes threat scoring as part of its intelligence feeds, alleviating the need for custom coding. When threat scores exceed a certain threshold, security professionals can develop automated scripts to fine-tune prevention controls and block IoCs like malicious files, IP addresses, URLs, etc.
Now, I'm not suggesting for a minute that any of these advanced prevention methods are perfect – the bad guys will still find their way through the door. But if we make it difficult for them to get in, we can also limit "dwell time," make it easier us to detect and respond when they do get in, and minimize damages. Besides, if we downgraded our focus on prevention, we'd be dealing with a lot more noise from DDoS, pedestrian malware, and script kiddies.
No one is arguing that we need to get better at detection and response, but let's not throw the cybersecurity baby out with the bath water. When it comes to cybersecurity, Silicon Valley marketing rhetoric is not only disingenuous but can also be dangerous. The "let's kill prevention" baloney is a concrete example of this.