If the cybersecurity industry has transitioned to the concept of detecting rather than blocking, how capable are businesses of actually detecting the threats?
Jason Brvenik is chief technology officer of NSS Labs, and he spoke to Infosecurity about such a challenge. He was previously a principal engineer in the office of the chief security architect at Cisco, a role he assumed after the acquisition of Sourcefire in 2013, where he worked as vice-president of security strategy. He explained that he had joined NSS Labs to build out the company’s security testing programs and cyber-threat protection technologies to address the many gaps that exist in security today, and bring out “truth in security” for buyers when evaluating vendors.
He told Infosecurity that products are tested in “a way that allows us to make comparisons as not all networks and systems are the same,” although he did claim that “it’s incredibly difficult to test in general and create environments that are like a real world conditions.”
Brvenik claimed that NSS Labs “go to extreme lengths to make sure that everyone has equal opportunity to put their best foot forward and configure as an enterprise would do so and then test them in the same way.” This means that there is “no way for us to turn around and produce a report that is unfair.”
Using a piece of malware as an example, he said that a lot of people would say “you cannot test it that way, that is not real world,” but NSS Labs’ perspective is whether the customer was compromised or not.
In a recent breach detection test, Brvenik said that there are a number of products that claim the ability to detect breaches, and there are a number of product suites that look at the detection problem and recognize that you cannot stop everything and look to solve it.
“The difference of detection versus intrusion detection and endpoint detection and response is to find the breach by any means possible, and report on it with actionable detail,” he said. “So if you have a forensic EDR product – it may not catch it all.”
He explained that the test was about whether an attack tactic could be detected in a set period of time, and added to be compromised and not see the attack “is a pretty bad thing.” NSS Labs particularly pointed out the capabilities of technology of Lastline, whose technology was the only offering ever tested to achieve 100% detection with zero false positives.
Its co-founder and CTO Giovanni Vigna told Infosecurity that detection is one piece of the puzzle: “understanding the impact and scope of a breach, and identifying the most effective path to remediation, are other important aspects of the security process.”
So in the current state of security that we are in, is it a case that we cannot stop things but we can detect them? Vigna said: “Not exactly. Breaches can be prevented if the security tool is deployed in the path between the attacker and the victim. Of course, if an attack is not detected it cannot be blocked, or handled. Hence the focus on detection.”
What about the current state of detection overall, is it getting better? Brvenik said that while there are better technologies available now than a decade ago and organizations’ awareness of the need for more robust monitoring and response to security incidents is apparent, he likened it to criminals who did fraud: who changed their business model to incorporate new capabilities “as technology evolves so will the criminal activity.”
He said: “The goal is not to eliminate it all: to me that would be ideal, but we are never going to eliminate the criminal element from all of society, but rather to make it incredibly difficult to be successful in their crimes without being detected or being able to respond.”
Asked the same question, Vigna agreed that attackers will never go away, but will change their techniques or their targets as better security mechanisms and policies are adopted, but they will not stop. “Therefore, it is necessary to continuously innovate the field of security.”
Breaches will continue and companies will continue to fight malware, so detection may continue as a trend for now.