I’ve made the argument before that complete information security protection requires a combination of prevention and detection. Further, I believe we have overinvested, become overly reliant on and dangerously complacent with our preventative capabilities. The result is we are exposed and are woefully underinvested in our detection capabilities.
At first, my assertions may sound counterintuitive. Detection is foundational security stuff –“Security 101” so to speak. Haven’t we been doing this for years?
If that is true, why do advanced intrusions that bypass traditional mechanisms persist undetected for extended periods of time (e.g. RSA, Google, TJX, Sony, etc etc) ? Something is clearly not working.
The disconnect lies in what we are detecting today and how we are detecting it and how this needs to evolve moving forward.
Think about this for a moment: Detecting attempted intrusions is quite a different problem than detecting successful intrusions.
Let me explain. There are basically two ways you can identify if something is bad.
1) You can figure out what “bad” looks like and then look for similarities to this. You could even get more clever and based on the knowledge of a vulnerability, figure out what “bad” would have to look like in order to exploit the vulnerability and then use these generic models of “badness” to stop unknown attacks on known vulnerabilities. Either way, detection and prevention of the attack its based on models of what is “bad”. This is the core of traditional AV and IPS protection and we are pretty good at this. So, to the extent that these can detect attacks – yes, we been doing this for a long time. But they aren’t detecting successful attacks that bypass models of what “bad” is It is precisely these mechanisms that are failing us with APTs because a targeted and unique attack has no predefined model of badness (aka signature, IPS rule, vulnerability-facing filter) to catch it.
2) The other way to identify that something is bad is to get a really, really solid idea of what “good” looks like and then look for meaningful differences from this. This is the heart of advanced monitoring and understanding what normal baseline patterns of behavior at all levels (packets, sessions, applications, transactions, etc) looks like. We are not good at this. Note that putting an IPS into ‘detect’ mode doesn’t deliver this type of detection- that’s just another form of #1 above. Doing #2 right requires a large number of sensors and detailed analysis of activities in order to identify anomalous behavior which goes beyond log monitoring and current generations of security information and event management. This is precisely why I believe information security is becoming a big data problem and why advanced analytics will be at the core of the next generation of all security platforms – endpoint, network, edge, data and so on. Also, once we have solid models of “goodness” we can focus on removing these and looking at what’s left. This second approach is exactly what I was talking about in my recent blog post on finding the APT needles in the IT haystack. You don’t have to know what needles look like, you only have to know what “good” (high assurance) hay looks like, remove this and see what is left.
The next big area of spending in information security will be to beef up our capabilities in the second category – more sensors, more monitoring and more analytics delivering improved situational awareness of advanced intrusions which bypass all of our first category protection and detection mechanisms.
Category: Beyond Anti-Virus Information Security Next-generation Security Infrastructure Tags: Adaptive Security Infrastucture, Cloud Security, Defense-in-Depth, Information Security, Next-generation Security Infrastructure, Security-Summit-NA