by John Hayes, CTO and co-founder
There has long been a debate in cyber security with respect to strategy - detect or defend? This debate is framed by the threats being faced and by the tradeoffs of choosing one strategy over another. We generally prepare for the threats that we have seen. In the case of cyber security, many of the resources devoted to cyber security have been framed in the context of the Advanced Persistent Threat or APT. The APT is characterized by infiltration, stealth and persistence with the goal of stealing sensitive information and laying the groundwork to disable or disarm systems in the future. Many analyses of APT infiltrations showed the time between initial infiltration to detection is measured in weeks or months. Many technologies and products were developed and deployed to detect these infiltrations. This led to the first round of detect or defend debates, which was largely won by the detect philosophy with the most convincing argument being: “Why focus on defense when your systems have already been compromised?”
Organizations deployed various detection products with their results sometime being communicated to Security Information and Event Management (SIEM) or analytic systems. More advanced malware detection approaches appeared with increasing computational complexity designed to detonate malware in sandboxed environments. And major breaches continued to occur. Before the 2013 Target breach, Target had installed detection products. During the data breach, Target received notifications that malware was detected, but this information was lost in the sea of notifications — the detection software was unable to differentiate between a specific attack and less threatening malware, prioritizing both equally. Information overload is a term commonly heard by security professionals and many detection security products cannot place a detection event in a context to allow for their interpretation as part of a system.
Detection products use various techniques to detect malware and malicious activity. Blacklisting compares web content and binaries against catalogs of known malware. Zero-day attacks are attacks that are not present in malware catalogs making their detection impossible by static catalog techniques. New strains of malware known as polymorphic malware obfuscate their code to escape detection, further limiting detection. Another approach uses sequences of behavioral traits to detect malicious activity. This approach can detect some polymorphic and zero-day attacks, but is more prone to false positives that traditional blacklisting.
A false positive is when a security system flags a security event as malicious when it is benign. False positives impact operations by preventing authorized users or devices from performing their assigned tasks. False positives are also one of the reasons that there has been so much resistance to technologies that defend. Detection products are passive; they often are attached to SPAN ports on a network that mirrors network traffic to detection systems. Protection products, in contrast, are active and sit inline in the network data path. A false positive in a detection product leads to an extra warning, with little real impact. A false positive by a protection product leads to denied access to the requested resource.
Time to Detect and Respond
A distinct aspect of detection products is what happens when malicious activity is detected. Often, indications of malicious activity are reported to a SIEM system. The SIEM system subsequently notifies a security administrator in a Security Operation Center (SOC). Rarely do the systems react on their own. This adds a second time element, the time to address a given issue. An SOC for a large enterprise receives thousands or tens of thousands of security events each day. Prioritizing them is difficult as was shown by the Target breach. Many security events are never addressed and addressing high priority events may be further delayed by work backlogs. Being under direct cyber-attack further exacerbates response, overwhelming SOCs and their response teams.
The delay in detection of malicious activity and the delay in responding spans timeframes measured in weeks and months. This was already unacceptable when the APT was the primary threat. After the recent WannaCry and Petya/NotPetya ransomware attacks, where data has been encrypted and systems have been rendered inoperable, this approach and time lag is no longer tolerable. The losses from the WannaCry attack has been estimated as high as $4 billion worldwide. The losses from Petya/NotPetya could exceed 10 times that amount. The operations FedEx’s TNT unit were disrupted for months causing a material impact to FedEx’s finances.
Automated and Adaptive Defense
In the past, organizations have been unwilling to implement cyber security protection products, arguing that there is too much operation impact, systems are already compromised, and their IT staffs and budgets are stretched too thin. More attention must be given to new and adaptive defensive technologies.
The biggest drawback to defensive technologies, false positives, can be addressed in several ways. Defense must move to using authenticated information such as identity to provide a stronger basis for making defensive decisions. Those defensive decisions must be narrowly targeted, ideally against authenticated targets. Finally, those defensive decisions must be automated. Without defense automation, attacks such as WannaCry and Petya/NotPetya will continue to plague IT systems. Cyber-attacks have long been automated and they are continuously updated. Cyber defense must be automated and adaptive to have any chance of protecting cyber and digital assets.
Our Internet infrastructure continues to be very vulnerable to attack and our attack surface is increasing as the Industrial IoT and consumer IoT converges with our enterprise IT networks. In the wake of WannaCry and Petya/NotPetya, not implementing additional protection technologies is reckless and negligent. Organizations must move past the weaknesses of the deployed security technologies and the over reliance on detection that have failed so spectacularly, and adopt new cyber defense technologies using identity and authentication ubiquitously across network, session and application layers.
BlackRidge Technology products block unidentified and unauthorized access to protected network resources and protect those resources from discovery from unauthorized network mapping and reconnaissance. Detection and mitigation of network breaches is no longer an option, we must actively defend and protect resources.