Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Taking Back the Reigns: Proactive Security Design vs. Reactive Administration

I’m probably stating the obvious, but a brief look at security reports that summarize 2014 demonstrates that attackers, again, have the upper hand. The following summary statistics* reveal a very clear picture:

• Number of successful attacks annually has increased by 144%

I’m probably stating the obvious, but a brief look at security reports that summarize 2014 demonstrates that attackers, again, have the upper hand. The following summary statistics* reveal a very clear picture:

• Number of successful attacks annually has increased by 144%

• The cost of data breach has increased by 96%

• Time it takes to resolve a cyber-attack has increased 221%

(*Based on internal analysis of the results from the 2011-2014 “Cost of Cyber Crime Study” reports from Ponemon Institute and HP)

The market is good at presenting statistics, but usually when analyzing the reasons for these disturbing trends, the market doesn’t do such a good job. Yes, we will see explanations for the trend based on new attack motivations such as hacktivisim, financially motivated attacks, government investments in cyber defense and offense – all this is true but, given the multi-billion dollar investments in cyber security, why are attackers still so successful?

Today’s attacks evade most advanced cyber-attack detection and prevention technologies in a matter of days and sometime even hours. Attackers behind well-organized advanced attack campaigns have the capability to analyze the security products’ capabilities before and during the attack and then to modify their attack tools, create new malware software, change the “route” of attack etc. all in a way that will bypass defense and, eventually, achieve the attack’s goal.

Over the past few years we’ve seen many well established security companies as well as early stage startup companies offer innovative security solutions. These companies have tried every possible technology in order to try and automatically predict what the attacker will do next, to predict how the malware will evolve into a new variant, and to identify abnormal network behavior.

We have also been hearing for years about new machine learning algorithms, various techniques to analyze big data, advanced sandbox and emulation techniques, honeypot technologies, reputation intelligence feeds etc. – and as said, unfortunately all are eventually bypassed by the persistent attacker.

The following diagram provides a high level and simplified abstract illustration of what I call as “the advanced threat problem”.  

The figure below represents the current state of the security arena, in which cyber security protections can detect and prevent threat vectors in a limited area that I define as the “protection space”.

Threat Vectors vs. Protection Space

Inside this abstract protection space, which scopes the different attack vector variations, each security technology can predict with high confidence certain amounts of potential attack vectors and flag about them. However, when dealing with advanced persistent attack campaigns, the situation is different.

As shown in the second figure below, persistent attack campaigns include the capability to analyze the cyber protection mechanisms, measure their level of predictability (i.e., define their protection space) and then design the attack accordingly:

Security Bypass

Advanced attack campaigns are designed to bypass the protection space and, once it is bypassed, the battle is lost.

This brings me to my main point: The advanced threat problem doesn’t lay in the fact the current technologies are not good enough, as these technologies are doing well within their protection space. The problem is that when these security technologies are bypassed (and every commercial security technology can be bypassed), they cannot be “programmed” to detect and prevent the new attack behavior, the same attack that has breached their protection-space borders.  

“Programmability” of security product will allow the security experts to take control and fight back (see illustration below).

Programmability of Security Products Diagram

Programmability can mean many things, and it is certainly not a simple task to design a security product that is also a programmable one. The main challenge is to design a security product that is first of all a framework that includes a security language, that allows security experts to program new types of detection and prevention functions or to extend the capabilities of existing functions, and fast.

Development of a security programming language and a framework that compiles this language into real security processes are far from being a trivial task but it seems to be the only step that will allow security experts to fight back. This approach would allow the defenders to be as persistent, if not more, than the advanced attackers.

To summarize, a paradigm shift in the design of security products need to take place. Such a shift would allow network administrators and network security experts to start designing their own security solutions, rather than just administrate existing solutions in their limited security protection space.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...