The more focus a company puts on prevention of cyber-attacks, paradoxically, the more unsecure it becomes. In an environment where a heavy prevention strategy is used the dwell time of attackers can be indefinite. This episode of Dark Rhino’s Security Confidential focuses on the Prevention Paradox and how to avoid it. There are three pillars of cybersecurity: prevention, detection, and response. There is a tendency, for companies, to focus extensively on prevention. In the SANS sliding scale of cybersecurity prevention is at the forefront with detection and response more to the right on the scale. Many a company following the SANS Sliding Scale end up with extensive focus on prevention for a host of reasons which are discussed. Prevention can take several forms, one of the most common being the use of endpoint protection tools like Next Generation Anti-Virus (NGAV). The advances made in these tools have been significant over the past many years with the incorporation of artificial intelligence with machine learning into their detection engines. These advanced technologies are not enough. Why?
There are three levels of unknowns as one climbs the Pyramid of Pain. There are: known-knowns, unknown-knowns, and unknown-unknowns. Known-knowns are easy to deal with it. Their signatures are known and their exploits well documented. Unknown-knowns are a bit tricker but with behavior detection through machine learning in NGAV they can be handled with great effectivity. The unknown-unknowns are the most difficult to deal with and they are at the pinnacle of the pyramid of pain. They make use of novel tools, tactics, and procedures (TTPs) that are not yet within the grasp of detection through automation or pattern recognition. The uncovering of attacks based on novel TTPs is not within the domain of a vendor and requires proactive human based threat hunting. This is best evidenced in recent times by the exploitation of the Solarwinds vulnerability with Sunburst. The TTPs used were so advanced that Fireye and the US Federal Government could not detect the attack with the plethora of tools, processes, and technologies they had in place for their cyber defense. It was only detected by human intelligence.
The more focus that is put on prevention the more data becomes available to attackers on the methods of prevention. They keep testing cyber defenses and are able to come up with alternative methods to by-pass those defenses. On the part of the defender, the belief is that they are well protected, and they may not readily realize their methods have been compromised and thus allow indefinite dwell times on the part of the attacker. This is the prevention paradox. The panelists, Manoj Tandon, Chris Gerritz, and Tyler Smith discuss the prevention paradox. Both Chris Gerritz and Tyler Smith are ex US Military. With Chris Gerritz spending his service time in the US Air Force. It was in the US Air Force that the term “The Prevention Paradox” was coined. It has not been extensively talked about till now.
The panelists discuss what an organization can do to avoid the prevention paradox. The first thing is a distinct separation of the detect and response tools from the endpoint protection tools must be had. It is very tempting to have a single vendor for detection, response, and endpoint protection. Many organizations use one vendor for protection, detection, and response. This causes organizations to fall into the prevention paradox. ALL available technologies in the market don’t detect everything for one. What they miss it may be a while before they know about it and address it. The EDR platforms must be separated from endpoint protection. This causes separation between detection and response tactics to be from endpoint protection tactics. A strategy that will make it difficult for attackers to determine defensive TTPs.
The panelists discuss how to layer in detection and response with proactive threat hunting. Threat hunting is typically a very intensive activity requiring the forming and manual testing of hypothesis based on log data collected from the many available sources. Layering in the Dark Rhino Security’s Six Sigma based Iπ&r process for detection and response, which utilizes Infocyte, enables rapid analytics-based hypotheses to be formed and tested rapidly across the entire network. What used to take days and weeks to be accomplished can now be done in minutes and hours. The rapid analytics-based assessment of multiple hypotheses for environment compromise dramatically reduces the dwell times of attackers. More importantly, the approach allows for rapid isolation and the blocking of lateral movement so the organizations exposure to legal, reputational, and monetary losses is greatly curtailed. A case study involving a major hospital system is discussed.
Podcast is available here and at your favorite podcast outlet the vidoecast of the webinar replay is below.