In this episode of Dark Rhino’s Security Confidential, Hosts Manoj Tandon and Tyler Smith talk to Chris Gerritz, Co-founder and Chief Product Officer at Infocyte. They discuss the Prevention Paradox and how to avoid it. There are three pillars of cybersecurity: prevention, detection, and response. There is a tendency, for companies, to focus extensively on prevention. In the SANS sliding scale of cybersecurity, prevention is at the forefront with detection and response more to the right on the scale. Many a company following the SANS Sliding Scale ends up with an extensive focus on prevention for a host of reasons which are discussed. Prevention can take several forms, one of the most common being the use of endpoint protection tools like Next Generation Anti-Virus (NGAV). The advances made in these tools have been significant over the past many years with the incorporation of artificial intelligence with machine learning into their detection engines. These advanced technologies are not enough. Why?
There are three pillars of cybersecurity: prevention, detection, and response.
There is a tendency, for companies, to focus extensively on prevention. In the SANS sliding scale of cybersecurity, prevention is at the forefront with detection and response more to the right on the scale. Many a company following the SANS Sliding Scale ends up with an extensive focus on prevention for a host of reasons which are discussed. Prevention can take several forms, one of the most common being the use of endpoint protection tools like Next Generation Anti-Virus (NGAV). The advances made in these tools have been significant over the past many years with the incorporation of artificial intelligence with machine learning into their detection engines. These advanced technologies are not enough. Why?
Pyramid of Pain
There are three levels of unknowns as one climbs the Pyramid of Pain. There are known-knowns, unknown-knowns, and unknown-unknowns.
Known-knowns are easy to deal with it. Their signatures are known and their exploits are well documented. Unknown-knowns are a bit tricker but with behavior detection, through machine learning in NGAV, they can be handled with great effectivity. The unknown-unknowns are the most difficult to deal with and they are at the pinnacle of the pyramid of pain. They make use of novel tools, tactics, and procedures (TTPs) that are not yet within the grasp of detection through automation or pattern recognition. The uncovering of attacks based on novel TTP is not within the domain of a vendor and requires proactive human-based threat hunting. This is best evidenced in recent times by the exploitation of the Solarwinds vulnerability with Sunburst. The TTPs used were so advanced that Fireye and the US Federal Government could not detect the attack with the plethora of tools, processes, and technologies they had in place for their cyber defense. It was only detected by human intelligence.
The more focus that is put on prevention the more data becomes available to attackers on the methods of prevention. They keep testing cyber defenses and are able to come up with alternative methods to bypass those defenses. On the part of the defender, the belief is that they are well protected, and they may not readily realize their methods have been compromised and thus allow indefinite dwell times on the part of the attacker. This is the prevention paradox. The panelists, Manoj Tandon, Chris Gerritz, and Tyler Smith discuss the prevention paradox. Both Chris Gerritz and Tyler Smith are ex-US Military. Chris Gerritz spent his service time in the US Air Force. It was in the US Air Force that the term “The Prevention Paradox” was coined. It has not been extensively talked about till now.
Avoid the Prevention Paradox
The panelists discuss how to layer in detection and response with proactive threat hunting. Threat hunting is typically a very intensive activity requiring the forming and manual testing of hypotheses based on log data collected from the many available sources. Layering in the Dark Rhino Security’s Six Sigma-based Iπ&r process for detection and response, which utilizes Infocyte, enables rapid analytics-based hypotheses to be formed and tested rapidly across the entire network. What used to take days and weeks to be accomplished can now be done in minutes and hours. The rapid analytics-based assessment of multiple hypotheses for environment compromise dramatically reduces the dwell times of attackers. More importantly, the approach allows for rapid isolation and the blocking of lateral movement so the organization’s exposure to legal, reputational, and monetary losses is greatly curtailed. A case study involving a major hospital system is discussed.
Dark Rhino Security’s “Security Confidential” is a weekly Cybersecurity podcast where Host, Manoj Tandon, talks to Infosec and Cybersecurity professionals about the current issues going on in our industry. Guests are able to share their stories about how they began their journey into cybersecurity and connect with our audience. Listeners are able to tune in through Spotify, Apple Podcasts, Google Podcasts, Amazon Music, iHeartRadio, Youtube, LinkedIn, and more.
For inquiries, please email media@darkrhinosecurity.com
Check out the other episodes in Season 2:
Ep. 2 Phil Rich and Kevin Swift – Do you have the Chutzpah to be an entrepreneur?
Ep. 3 Jordan Graham – SOC2 Compliance, can it be done on the cheap?
Ep. 4 Matt Castonguay – Gamer to Millionaire
Ep. 5 Jay Sheehan and Jordie Kern – How to Hire Heros
Ep. 6 Ethan Nicholas – Successfully Network and Achieve Success
Ep. 8 Warner Moore – Risks in Cybersecurity
Ep. 9 Chris Gerritz – Prevention Paradox
Ep. 10 Karen Hough – New Year New Beginning Leverage Improv
Share and spread the word!
To learn more about Dark Rhino Security visit our website
SOCIAL MEDIA:
Stay connected with us on our social media pages where we’ll give you snippets, alerts for new podcasts, and even behind the scenes of our studio!
