Is rapid detection the new prevention?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/news/2014/010214-outlook-security-277111.html?hpg1=bn


There's a trend underway in the information security field to shift from a
prevention mentality — in which organizations try to make the perimeter
impenetrable and avoid breaches — to a focus on rapid detection, where they
can quickly identify and mitigate threats.

Some vendors are already addressing this
shift,<http://www.networkworld.com/community/blog/advanced-malware-detectionprevention-market>
and
some security executives say it’s the best way to approach security in
today’s environment. But there are potential pitfalls with putting too much
emphasis on detection if it means cutting back on prevention efforts and
resources.

Clearly, rapid detection is gaining traction. Research firm IDC has
designated a new category for products that can detect stealthy
malware-based attacks designed for cyber-espionage ("Specialized Threat
Analysis and Protection”) and expects the market to grow from about $200
million worldwide in 2012 to $1.17 billion by 2017.

The thinking behind a shift in security approach is that it’s impossible to
keep out everything, so companies should focus on quickly detecting and
mitigating threats<http://www.networkworld.com/community/blog/security-skills-shortage-impacting-incident-detection>.
While it doesn’t mean abandoning prevention, it suggests companies devote
more resources to detection and remediation than they have in the past,
with the understanding that breaches are going to happen.

“Prevention is a great strategy when it works. But unfortunately no
preventative measure can be completely effective,” says Timothy Ryan,
managing director of the Cyber Investigations practice at Kroll Advisory
Solutions, a provider of risk mitigation products and services.

“For that reason, companies cannot rely on prevention and protection
alone,” Ryan says. They must also rely on an information security plan that
blends technology and processes to identify and respond to compromises
quickly. The right tools and processes often reduce the time and cost of an
investigation, he says.

“Rapid detection and efficient, effective response is the new prevention,”
says David Scholtz, CEO of Damballa, a security technology provider. “The
mindshift here is what's being prevented. We can no longer prevent our
networks and systems from becoming infected, but we can prevent those
infections from growing and evolving to become damaging breaches.”

Organizations can do this by discovering threats that successfully bypass
layers of prevention and cutting them down before they do damage, Scholtz
says. “Today, you can continue to add prevention-based solutions to an
already fortified yet disappearing perimeter, but it's the small percentage
of threats that get through that then equate to 100% of your risk,” he says.

Cyber criminals are using more sophisticated methods to evade detection,
Scholtz says. “They are leveraging these methods precisely because they can
easily switch attack vector, or slightly tweak their malware, and instantly
they're again undetectable by traditional prevention methods,” he says.

It doesn't matter if an intruder is a trusted
insider<http://www.networkworld.com/community/blog/organizations-remain-vulnerable-insider-attacks>
or
a meticulous attacker who has engineered a way in through persistent and
crafty means, says Vincent Berk, CEO of FlowTraq, a network security
provider. “The bottom line is that hackers are already in your network,” he
says. “Once businesses reach this realization, they will automatically
start shifting their defensive philosophy from perimeter defense to
defense-in-depth.”

This shift in thinking puts more emphasis on careful collection of system
logs and traffic records, and focuses on detecting what’s unusual in the
network, Berk says. “Large data transfers, unusual access patterns or
reconnaissance behavior are all signs of somebody already on the inside
searching for the crown jewels,” he says.

But not everyone thinks the shift in security mindset is a good idea.

“I think the idea of switching from a prevention strategy to a detection
one is a false dichotomy,” says Wendy Nather, research director, security,
at 451 Research. “First of all, because prevention tends to be more
automated and therefore cheaper than detection. Second, because detection
is just as imperfect as prevention. People may complain that antivirus
misses a lot of malware, but so do intrusion detection systems. Firewalls
andSIEMs<http://www.networkworld.com/newsletters/techexec/2013/022213bestpractices.html>
are
only as good as the experts who configure them, no matter which
‘generation’ they purport to be.”

Many products that are seen as “prevention” actually rely on detection to
work, Nather adds, whether it's through signatures, blacklists, rules,
heuristics, or other algorithms. “You're looking for specific patterns,
either in the data or in the behavior, and taking actions based on what you
detect.”

Preventive measures such as whitelisting and mitigating known
vulnerabilities “are always going to be just as important as detection,”
Nather says. “Giving up on prevention because it can't be done perfectly is
a very narrow mindset that security professionals can't afford.”

Prevention “continues to be the top priority for defenders,” adds Wolfgang
Kandek, CTO at Qualys, a security platform provider. “The major shift is
that the perimeter has dissolved. Today, workstations are as much under
direct attack as are Internet-connected servers, and they need to be
protected wherever they are, inside the enterprise network, at the user's
home, hotels, airports and coffee shops.”

Detection is best used after a comprehensive prevention strategy has been
implemented, to go after the advanced threats that make it through even
though all preventive steps have been taken, Kandek says. “In a network
that has no-to-little preventive technology, detection will get flooded
with alerts that will quickly overwhelm IT capabilities to follow up and
investigate each alert,” he says.

Many experts say there should ideally be a mix, with organizations giving
equal emphasis to prevention and detection.

“There cannot be an ‘either/or’ approach to prevention and rapid
detection,” says Ed Powers, national managing principal, security and
privacy, at consulting firm Deloitte. “The vast majority of organizations
must do both.”

This is because enterprises continually introduce new cyber risks, Powers
says. In addition, malicious actors are unrelenting in exploiting these
changes, resulting in the rapid evolution of threats — many of which can’t
be detected by traditional preventive means.

“At the same time, today’s large organizations are highly complex, and
there are practical limits on the resources that can be ‘thrown at’ the
problem,” Powers says. “The only feasible option in this environment is to
recognize that it is not feasible to afford the same degree of protection
to all assets, or to treat all risk factors as being equal.”

According to the Global State of Information Security Survey 2014 by CIO
and CSO Magazines and consulting firm PwC, security breaches are
increasing. The average respondent had 2,562 incidents that threatened some
aspect of computer security two years ago, and this rose to 3,741 in 2013.

“Not all those are impactful, but with that type of volume, some are going
to get through and you do need to be able to detect and respond,” says Mark
Lobel, principal in PwC’s security advisory practice. “That’s why there
needs to be a balance between prevention and detection/response — not just
one or the other.”

Companies shouldn’t “abandon their prevention mindset in lieu of rapid
detection and effective response,” adds John South, CSO at Heartland
Payment Systems<http://www.networkworld.com/news/2010/010810-heartland-to-pay-up-to.html>,
a large payments processor. “In fact, I would argue that each of these
support each other in an effective security strategy, given the
capabilities of the attackers. We still have to provide the defense in
depth — the castle walls, tripwires and alerts—that we have provided in the
past to protect our environments.”

The change in thinking today should be that while prevention capabilities
are in place and working effectively, the rapid detection of anomalous
activity needs to increase, South says. “In effect, our mean time to
detection (MTD) needs to decrease from months to minutes,” he says.
“Depending on whose statistics you read today, the average MTD ranges from
100 to 180 days or more, giving the attackers the distinct advantage of
time.”

There are hardware solutions and applications available to help companies
detect attacks, South says, but “it is difficult — and in some cases
impossible — for an entity to protect itself using only its own resources
and personnel. With the sophistication of the attackers, it is difficult to
reduce the signal-to-noise enough to detect the anomalous activity among
all of the other network activity. One essential element that can assist in
early prevention and detection is information and intelligence sharing.”

Indeed, going forward companies might find themselves sharing more
information about security. For years, organizations kept their security
information secret from others under the philosophy that weaknesses could
be used as a business advantage against them, South says. “This led to
environments where the only source of intelligence about who was attacking
you was the attacks themselves,” he says.

The financial services industry, working with the Financial Services
Information Sharing and Analysis Center (FS-ISAC), has developed a model
for companies to participate in and consume the intelligence gathered by
many financial institutions, South says.

“This extends organizations' ability to see potential threats before they
hit their networks,” South says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.