Priority Dilemma: Prevention vs. Response

At a recent conference I had the chance to meet with many security leaders of various companies and in most cases it was a continuation of a trend that has plagued the information security field for years. Many of these individuals were looking at one or more products, contemplating a large expenditure thinking they would be protected from attackers, without first having thought through who their adversary was or how they operated.

While there are a lot of great products on the market (to include free open source tools), and many claim to prevent attacks- and they will to some degree- they won’t prevent all attacks and they will not always stop a motivated and persistent attacker or even be suited to protect against a certain adversaries methods. This approach is no different than an individual who self medicates but has no idea what malady actually is afflicting them: Will it help? Maybe. Will you be spending resources unnecessarily? Most likely. If you knew what the malady was, could you better treat it? Yes. Is there a magic pill that stops all ailments? No.

First, a question: How do you think some of the companies that have very mature and successful security teams and programs started? 9 times out of 10 it was an incident. An intrusion by skilled attackers- and in some cases more than one group of attackers- had been occurring on their network and they found out through some channel (usually an external company or law enforcement notification), that these attackers were in their network, unbeknownst to them.

These companies typically had basic tools in place such as firewalls and antivirus and in many cases had deployed more sophisticated security technologies such as a SIEM, IPS, or other “top of the line technology” that prevents attacks; however, the attackers had bypassed all of these tools and had evaded detection. The security team typically did their best to respond and expel the attackers from the network, perhaps making a call for experienced help, after which they set into motion a series of events to both learn from the incident and begin the long journey of establishing a more robust and healthy security program.

Two things to note:

  1. This model introduces a needless emergency situation, when steps could and should have been taken ahead of time to ensure there were experts in the area of incident response available around-the-clock to monitor and respond to an incident. Keep in mind that just because you expelled attackers from your network doesn’t mean they will not be back the next day through another avenue you may not be aware of. Are you confident in your detection and response capabilities to both find the next compromise and respond appropriately?
  2. All of the security technology designed to prevent attacks failed and generally the security staff is individuals who’s job it is to maintain these tools. Individuals who are not familiar with attackers, methodologies, incident response, malware, evidence collection, indicators, lateral movement, etc… will then be thrust into key positions with the expectation that they can solve the problem. Are these individuals versed in concepts such as Locard’s Exchange Principle and the Order of Volatility? Can they discover indications of lateral movement from volatile memory? And while meaning to do well, can you ensure they won’t destroy evidence that may be vital to ensuring you find everywhere in the network your attackers may be?

Another critical element- and perhaps the most important and least understood- is before you invest in new tools for prevention, you should first understand who your adversaries are. It is surprising how many information security professionals I speak to that say something along the lines of, “I don’t care who is attacking me. It’s cool, but doesn’t help me.” Honestly, this is what I had thought 5+ years ago myself.

However, having seen first hand how Intel can help understand your adversaries and ultimately shape and drive your security roadmap, it absolutely matters. Why do you think the most mature and successful security programs in the world have dedicated Intel analysts? Their leadership has learned and understood the value they bring and is now exploiting the information they provide to maneuver their program forward. As one simple example, if your main adversaries typically seek to gain a foothold via phishing would you prioritize spend on technologies that can help address this attack vector or would you continue to spend your limited resourcing looking at Web Application Firewalls?

So where am I going with all of this? I’ll finish with three key takeaways:

  1. I’m not advocating that leadership should not invest in technology or wait to continue moving a security program forward until there is an incident- my advice would be the exact opposite- invest in Intel, Detection and Response upfront (and before an incident), as opposed to an overweighted and misguided focus on tools and prevention. As an IT leader of one of the worlds largest companies once told me, “You should start with the realization that you can’t secure anything, and then work backwards from there.”
  2. You need to understand your adversaries. Knowing your adversary will allow you to plan more appropriately and focus resources where they are needed most. If you are outsourcing your security functions, ask specifically about attribution and how that is leveraged to adjust the playing field in your favor. If you hear bragging about “x millions of indicators”, run.
  3. While this post is weighted towards IR, there is still a lot of value in Prevention tools- especially to weed out the noise. However, there is no silver bullet in the prevention space and you should never have a false sense of security because you have deployed a technology. Remember, before you spend money on the next tool in your arsenal, stop and better understand your adversaries and what their tactics, techniques and procedures (TTPs) are. Doing so will allow you to better spend that money and focus where it counts.