In the past few years, multiple organizations have experienced high-profile breaches. Target, Sony and the Office of Personnel Management are a few prime examples, but numerous others make headline news on a daily basis. It has become clear that no matter what prevention technologies are being used, it is increasingly difficult to stop determined attackers.
Prevention is a high stakes game. Multiple technologies and configurations must be deployed in perfect sync to reduce the attack surface available to hackers and slow them down. The list is long: from best practices like network segmentation and vulnerability patching, to systems that prevent malware infection and stopping data exfiltration. It is sufficient for just one of these elements to be mismanaged in order for hackers to be able to get in and get out with valuable data. How can IT teams balance the need to prevent with the need to detect?
The Flaws in “Prevent First”
Thought leaders, like Gartner, now emphasize the need to balance detection and prevention for enterprise protection because it is basically impossible to stop an attack pattern that has never been seen before – therefore rendering “prevent first” an insufficient strategy. Organizations must also invest in detection capabilities to look for suspicious activity in their networks – where investment has so far been lacking.
It makes sense. One of the most horrific stats in the cybersecurity world is "time to detect". A recent FireEye study found that this measure dropped to 146 days in 2015 from 205 days in 2014. While this is a marked improvement, the overall picture remains bleak. With most security resources and budgets focused on prevention, the game is essentially over once a breach actually takes place.
Should detection, then, be the primary focus moving forward? The answer is complex. On one hand, prevention is binary: either an attack was prevented or it wasn't. On the other hand, prevention technologies are more automated, so the cost and skills for ongoing maintenance are reduced.
Detection Challenges
There are, however, unique challenges associated with detection. While detection uses various techniques to filter out real indicators of compromise from "noise,” there is still a tradeoff between generating a "security event" and the required ability to analyze it. Sifting through tons of false positive events requires human resources, skills and judgment, which are in short supply as a recent survey points out. In the early days of fraud detection in banking, customers could configure the risk engines to generate the number of daily alerts that correlated with the number of analysts they had on staff and their event handling capacity. Everything else was discarded. This isn't good enough for breach detection.
Herein lies the biggest challenge: getting skilled people to look at events that could indicate abnormal activity. This is a tough problem as networks and systems get increasingly more complex and intertwined.
What is the Way Forward?
Enterprises must focus on expanding the scope of their prevention and detection capabilities to the entire attack lifecycle, automating as many elements as possible to reduce load on staff, and pre-integrating these capabilities for better insight and control.
Prevention should particularly focus on automation and extension into the post-breach phase of the attack’s lifecycle, and keep the following in mind:
• Enterprises must employ security best practices of segmentation, patching and user education, yet look for ways to automate and reduce efforts in these areas. For example, by using cloud-based services that are continuously maintained by service providers
• Malware infections are at the core of most attacks, most notably the less-targeted but devastating ransomware. Multi-layer malware prevention (URL filtering, sandboxing, network and endpoint anti malware) is critical
• Prevention should extend to the post-infection stage, including extrusion prevention and command and control (C&C) communication. Most breaches rely on hackers’ ability to drive the "malware beachhead" through C&C communication. Stopping that traffic will slow down or cripple the attack.
Detection has to bundle people and technology. If you don't have the people to analyze events in a timely manner, get a managed security services provider to help. Some key points to take into account are:
• A core detection capability involves SIEM or another analytics tool that correlates anomalous user, systems and network activity
• Consider new capabilities that emerge to detect suspicious logins, user activity across enterprise resources (file shares, servers) and more subtle network anomalies associated with lateral movement and server compromise
• Focus on the ability of detection solutions to adapt using deep learning, cloud-based visibility and closed loop feedback that are essential to reducing analysis loads over time
Ultimately, the security environment has evolved to the point where there is no longer a viable tradeoff to be made between prevention and detection. Securing your network today requires doing both, well.