Sophos acquires machine learning visionary Invincea.

“Detection is the New Prevention…”

Jan 10, 2014

How the Psychology of Security Teams and Incentives Rewards Network Compromise…
And What to Do About It!

In security circles today, it is very popular to say “Detection is the New Prevention”. What they really mean is “I’ve given up on prevention as an effective means of stopping attacks, and now will rely on my security team’s ninja skills to find the adversary on my network.”

You can hardly blame them. The anti-virus tech they are running on endpoints has been so ineffective for so long that they dismiss anti-virus as a preventative solution out of hand.

Firewalls and Web proxies, the other main staple of a basic security architecture, limit access but do little to stop targeted attacks. This is true for Web proxies that scrub web requests – they need a list that needs constant updating on what’s bad or good. With most Web-based attacks originating from compromised legitimate websites, this approach is losing its battle with cybercrime and more advanced actors. And sadly, this too is true for Next Generation Firewalls (NGFWs) whose primary attribute is the ability to programmatically control who gets access to which sites and apps.

Traditional network intrusion detection technology (IDS/IPS) is predicated on knowing the threat ahead of time (with a signature or pattern of some sort) in order to detect it. In other words, targeted and current attacks evade these defenses.

In the space of Advanced Threat Protection technologies, you have RSA Netwitness, BlueCoat/Solera/Norman, Damballa, and FireEye, among others, on the network perimeter looking for either bad content flowing through the perimeter or for network command and control to known bad servers. These technologies are great for telling you about the breach you have – not so much about preventing them from being successful in the first place. The polite terminology for accepting compromise is Patient Zero (or Patient Zero to Patient N).

On the endpoint, the class of “endpoint visibility” type technologies including Crowdstrike, CarbonBlack, HB Gary, among others provide indicators of whether your endpoints are compromised, but in retrospect only – once the indicators are known by someone somewhere.  Don’t get me wrong – there is value in knowing your network is compromised, and more specifically, which endpoints are compromised. However, the point is these technologies are useful for post-compromise analysis. Useful information, but certainly not preventative if you are in the role of preventing compromise.

In other words, it is little surprise that the vendors above and the security professionals they influence would be proselytizing that “Detection is the New Prevention” because these techniques at best are designed to tell you about your compromised network, not actually prevent the breach.

Saying Detection is the New Prevention is simply a way for saying “Crap, we don’t know how to stop these threats, so the best we can do is tell you when we get compromised, then hope to get on top of it and hope the adversary is not very competent.”

So what’s wrong with this “Detection is the New Prevention” mentality? First, the reality is what 451 Research Wendy Nather said:

 I think the idea of switching from a prevention strategy to a detection one is a false dichotomy” and continued to say “First of all, because prevention tends to be more automated and therefore cheaper than detection. Second, because detection is just as imperfect as prevention. People may complain that antivirus misses a lot of malware, but so do intrusion detection systems. Firewalls and SIEMs are only as good as the experts who configure them, no matter which generation’ they purport to be.”

In other words, if you think your preventative anti-virus solution sucks, what gives you confidence that your new detection strategy is any better? And trust me – I’m not saying anti-virus is the solution. Only pointing out your other detection approaches will not have much better detection and at the inefficiency of human review and analysis.

Apply the Target Breach to the “Detection is the New Prevention” Strategy…

Detection in most of these “New Prevention” approaches requires indicators of compromise (IOCs) to find threats. That means by the time you have the indicators (a pattern on a list) and find them on your network, well, you’ve been compromised.  At best you’ll find the intrusion on your network after the compromise has occurred, but before a breach of sensitive data. At worst you’ll have a Target magnitude incident. I’m willing to bet Target has Advanced Threat Protection technology in place from one of the ATP vendors listed above, and a competent security and incident response team. From that perspective, the security team at Target succeeded — they detected the threat (The “New Prevention,” recall). How happy do you think the Target CEO, CIO, and Board is at their success in the New Prevention?

Even with a security ninja team on the job 24×7, in the “New Prevention” strategy, you are in a foot race against the adversary who has the advantage of choosing the attack at the time of his choosing (surprise) and in the place of his choosing (lots of targets). If your security ninja team can win this foot race (at network speeds) between the adversary on the network (since the “New Prevention” strategy has already conceded the network to the adversary) and the data to be protected against breach – then more power to you. You guys rock.

However, how scalable is this strategy? How do you find an A team that is constantly on the go 24×7, weekends and holidays in all the nooks and crannies of enterprise networks?

Quick Video Thoughts from Invincea Here:

Unfortunately, humans don’t scale with this problem space.

Oddly enough, there is still a driving need among security professionals to find the bad guys on the network. In other words, there are intrinsic and often extrinsic rewards to actually finding the adversary on the network. The psychology is similar to hunting game and coming home with a trophy. When that happens, the security team is awarded with kudos and more tangible things, such as a larger budget to grow a larger team. They are hailed as heroes for finding the bad guys. Almost every major security incident results in larger security budgets and often promotions and board level visibility for CISOs.

So, we really have two different opposing objectives: (1) the need for security teams to find adversaries on the network to be rewarded professionally (big game hunting), which in turn means the need to concede the network to the adversary, and (2) the need to protect against breach of IP and sensitive data that comes with network compromise from a motivated adversary. Point 1 speaks to the popularity of “Detection is the New Prevention” for security teams. If we whole scale adopt this approach (the “New Prevention”), then we are assured we will have compromised networks and big game hunting for security teams. On the other hand, we are also assured of data breaches and loss of sensitive data.

This leads us to the inescapable conclusion: until we change the incentives/rewards, Detection WILL Be the New Prevention AND networks and data breach will be the norm.

My solution: adopt architectures that compartmentalize breaches into small zones on networks and on endpoints. Invincea is an example – the compromise is limited by a virtual container that segregates the application being compromised from sensitive data.  Security teams get the best of both worlds. You get the data forensics from the compromise (though the virtual container and the malware it is containing is non-persistent) while stopping breach of data. Best of both worlds!

The DFIR (Data Forensics Incident Response) teams get to study the adversary in the virtual container (think of watching sharks in a shark tank) without risking key enterprise IP and assets. We should develop a reward system for rewarding security teams for every time they not only stop the adversary this way, but also save the breach of data. Finally, the fact they can now share this data with a larger community makes them good security community citizens.

So be a good corporate and community citizen: adopt innovative architectures that actually stop the breach. You still get the trophy plus you get to prevent data breach!

You may also be interested in...

Ransomware’s Stronghold on Healthcare

read more

X by Invincea: HIPAA and HITRUST Compliance

read more

Powershell Exploit Analyzed Line-by-Line

read more