Blanket approaches to cyber security don’t work. So many vendors rely on throwing generic signature after signature, and alert after alert without any action. These legacy solutions are stuck in the assumption that all threats are the same and easily stopped – but we know this isn’t the case.
I won’t spend this article detailing how adversaries have gotten more clever, or how attacks are becoming more complex. But here is something we haven’t spent enough time on as an industry: tailoring your security policy and protections to the actual threats experienced by your organization, and to the threat landscape at large.
Let me illustrate this with a simple, but powerful example. Think back to the last six months, have you used a Microsoft RTF file in the daily course of business? I would imagine the majority of you are nodding your head “no” right now.
Recently, there have been multiple critical vulnerabilities affecting RTF files, allowing a remote attacker access to a machine if exploited. If your business has no reason to use RTF files, and there are active vulnerabilities or exploits against them, wouldn’t you want the ability to simply block them from ever entering your network? This is only one example, but there is an ever-evolving world of vulnerabilities and exploits against certain file types. What matters is the ability to quickly block them when something new and malicious surfaces, or even better, to whitelist only the content needed by your groups of your employees at any given time.
Here is another example. I was talking with a security practitioner at a major healthcare organization who noticed a series of IPs that kept trying to compromise his public web presence. After quickly identifying the offending IPs, he would add them to a blacklist for set periods of time, and then eventually remove them from the list. If they re-offended, they would be permanently blocked, but this exercise allowed him to protect his organization without preventing legitimate access.
Let’s take this one step further: what if your IPS/IDS or network anti-malware didn’t just pull from some giant database of threats your provider thinks you will experience, or from a large group of outsourced signature creation teams. What if your protections were automatically created by the actual threats attempting to breach by your organization?
Now, we can take a look at the opposite route, with some approaches coming at the problem from a place I like to call “detect and remediate.” This happens when devices focus on generating alerts on the exploits, malware, malicious IPs or other threats as they cross your network.
Often, this approach forces your security teams to operate under the assumption that (1) you can sift through the thousands of alerts to find the truly dangerous ones you need to focus on or (2) you can pay for third-party Incidence Response services to augment your security posture or remediate after-the-fact.
Based on these examples, consider three requirements that cover what we need for the future of threat protection:
• The ability to quickly reduce the ways adversaries can compromise your organization — in effect, reducing your attack surface.
• The ability to ingest either internal or external security intelligence, and put it into practice simply within your security platform.
• The ability automatically update your security posture based on the actual threats targeting your organization.
Taken together, these three requirements fit into a “detect and prevent” approach. What is needed in today’s threat landscape is the ability to detect all known and unknown threats, and automatically prevent them without any manual intervention.
Ideally, any solution would also go beyond the traditional approach of only focusing on the perimeter, but the data center, mobile devices and any points of segmentation across your network. Malware doesn’t care about all the walls you put at your edge, and it is not reasonable to expect teams to manage divert security policy for each location. Finally, you must have the ability to evaluate all traffic and threats, and tailor that unified policy based on what is actually happening on the network.
Every industry conference I attend begins with the same platitudes about shifting the conversation. “Detect and remediate” to “detect and prevent” is a good place to start.