Build higher, thicker walls. Dig deeper, wider moats. Increase supply stores within the castle. Finding ways to prevent bad things from happening is simply part of being human. An almost blind embrace of preventative controls found its way into the digital age. From passwords and firewalls to anti-malware and intrusion prevention systems (IPS), we’ve focused much of our resources on prevention.
Prevention Doesn’t Scale
Unfortunately, preventative controls, while absolutely necessary, do not scale. This is why a military wouldn’t depend on a fixed fortification and why a financial institution has more security than a safe. Prevention must be augmented and integrated with controls focused on incident detection and response.
Sticking with the bank analogy, this is why having a safe is necessary, but why it is equally important for that safe to be augmented by video surveillance, alarms, armed security guards, auditors, security awareness training for employees and emergency buttons hardwired to the police station.
Threat Acquisition and Mitigation
The volume, velocity and variety of packets traversing an organization’s IT assets continues to increase. It’s not uncommon to identify millions of packets every second, ranging from video and voice to web and DNS on a network segment. Some of these packets will be malicious. Given enough time, motivation and resources, the attackers behind some of these malicious packets, irrespective of those packets being complex, targeted, zero days or common exploits that have been in the wild for years, will find their way through your defenses. This is a fact regardless of the height of your walls or depth of your moats.
Instead of being myopically focused on keeping the bad stuff out or the good stuff in, organizations must expand their security posture to more rapidly identify threats and mitigate them efficiently and effectively. One of the best ways to accomplish this from a cybersecurity perspective is to leverage a ‘video camera’ for the network. A packet-level solution is needed that can record what is happening before, during and after an incident that helps to identify an incident and pinpoint the response.
Post-prevention Security Controls
Post-prevention security doesn’t mean organizations should stop trying to prevent bad things. It means expanding the capabilities of an organization’s security posture. It means going beyond a binary perspective of one’s cyber controls being ‘good’ or ‘bad’ and accepting that bad things will happen and thus preparing for that inevitability.
Effective post-prevention controls for incident detection and response that work at the packet level will collect, index, and warehouse all packets – good and bad. These solutions will monitor exfiltration and infiltration, but they should not exist in a vacuum.
Integrating controls for incident prevention, detection and response yields the most robust security posture. For example, integrating a next-generation firewall, IPS, or security information and event management (SIEM) system with a packet capture solution provides greater insight into alerts, logs and events.
When pivoting from these to a packet capture solution, an organization is provided with a more detailed view of what really happened on the network, such as an IM session used for the exfiltration of sensitive files, a PDF with embedded malware, or botnet activity masquerading as legitimate DNS traffic.
With many preventative controls you are given a snapshot of something that looks suspicious. With post-prevention controls focused on packet capture you get the entire movie. Consider SIEM; these events are like getting a phone bill with detailed information about a call. This is valuable, but the underlying packets are like tapping a phone line to get the actual conversation.
Packets by themselves are interesting. Integration with other security tools provides more relevance. Further, adding reputation and hash information that can yield known good files, known bad files, known malicious IP addresses, domains, URLs, etc., helps ensure that those packets are providing optimal value.
Because we are talking about post-prevention – packets that have already gotten past existing security controls, for example – it’s important to have the greatest amount of context possible. Context is critical for machine-based analytics such as correlation, pattern discovery and anomaly detection, along with tools that augment human intuition for analysis. In short, this context makes machines and humans more effective when researching and responding to an incident.
Reality
In this world there are a bad people who do bad things. Simply trying to stay ahead of the latest attacks in untenable. Preventative controls, while absolutely necessary, must be augmented by solutions designed to strengthen incident detection and response. Having a video camera with complete visibility into the packets entering and exiting your organization, traversing your datacenters and the like, means that you can more rapidly and empirically identify and mitigate threats that have gotten past your preventative controls.
Brian Contos, CISSP, is the VP & CISO for the Advanced Threat Protection Group at Blue Coat