Cyber Defense Solutions – Are we Playing the Wrong Hand?
If the house always wins, and we are the house, how come we keep losing?
Because we are playing the game of cyber defense wrong!
So far, as an industry, we’ve focused the majority of our IT security efforts at prevention (e.g., firewalls, anti-virus) or the next-gen versions of the same (e.g., NGFW, sandboxing, etc.). This makes sense when you use the wisdom of the physical world: an ounce of prevention is worth a pound of cure.
The problem is that such cyber defense solutions are not perfect. In fact, recent research reveals that even the latest and greatest miss from 5-7% of *known* malware – never mind unknown malware. And this is where common sense from the physical world fails us. Whereas in the real world, actions have high cost, online many actions can be performed for free, or at near zero cost. This is why we get (or got, if your anti-spam is up to snuff) hundreds of spam emails a day (vs. 5-10 pieces of junk mail).
And this is why we’ve set things up for attackers to win.
An attacker can keep trying to infiltrate a network or system endlessly until they find something that gets through. In the past, they often did this by spreading their attacks across a huge range of targets until something stuck. Now, with more targeted attacks, they’ll spend time on the target of choice until they find something that the solution can’t stop.
In other words, we’ve set things up such that we have to be *perfect* to keep defenders out, and there is no consequence or cost to them to keep trying until we fail (to prevent) and they succeed (to infect).
Once inside, the spate of ever-larger cyber breaches over the last few years shows that attackers can run-rampant: spread, obtain the data they seek, and exfiltrate it. Or even launch destructive action if that is their intent (Sony).
How can we change the game?
As defenders, we need to find a way to force the attackers to be perfect to get away with their crimes. This is how physical security works, especially when coupled with the ability for police investigation after the fact: one fingerprint, one hair follicle, one good witness and physical criminals are caught. But since most attacks are launched from overseas (or at least heavily concealed by jumping through other systems first), that model doesn’t work well online.
So, where are the attackers disturbing our environment by leaving digital traces, and how might we be able to effectively detect and respond?
Most solutions that attempt this through correlation or anomaly detection haven’t succeeded (or at best generate a flood of alerts that paralyze response, but might contain real traces). Incident response eventually builds up a good picture of what happened after the breach is found. But there is a large gap between the infection and the eventual detection (we call this the “breach detection gap”).
With the correct tools, we can catch any attacker on our network unless they are *perfect*. They spend extensive time in the attack lifecycle performing reconnaissance, lateral movement, data theft, etc. They *are* leaving traces – ripples of anomalous behavior that can be teased out from the normal profile of user and application activity.
If we can catch just one of these ripples, we can stop attackers before damage is done. We think, with the right tools, this can be a much more automated process.
We think, done right, this detection can be performed quickly enough and with enough accuracy to stop breaches before damage is done. These new cyber defense solutions will make sure the house starts winning.