Defend and detect, defend is not enough
04/06/15 Category: Security
For too long we've relied on a defend only mentality in data security. As of 2015, this a fatal flaw and all the data confirms it.
The data is overwhelming:
- Over 90% (actually 97 percent) of firms with security have already been breached.
- 75% of firms had active command and control communications in place from attackers.
- On average 1.6 exploits and 122 malware droppers passed through other existing security layers.
- APTs (Advanced Persistent Threats) are now a regular occurrence.
- Average time to detection is over 200 days!
The reality is that firewalls, proxies, mail appliances, endpoint AV (Ant-Virus) gateway or network AV, IDS and IPS are all failing. Failing being defined as anything less than 100% effectiveness. Cloud services and providers are not immune either and do not provide and antidote, ignore is not bliss.
The reason is simple, signatures alone are ineffective. Perimeter based solutions alone are ineffective. Endpoint/server solutions are ineffective. Almost all these are signature based and the threats are evolving and mutating way to rapidly for signatures alone to work. Heuristics alone can't detect stealthy and patient intruders. Sandbox type solutions, while better, still don't offer 100% protection. Most sandbox solutions alert after the fact and cannot say with certainty if a specific destination would have been a victim or not which in turn creates message overload and security apathy.
Even worse, encryption and cloud based solutions blind most but not all security solutions.
Lastly, a defense based solution assumes nothing has yet breached security. This is a completely flawed assumption and doesn't address already entrenched command-and-control systems. Nor does it address systems that can come and go from the corporate security ranch or systems that access remote encrypted resources. Bottom line, a defensive based, even a robust security in depth solution is doomed to fail.
We need to invest more corporate security spend on detection, specifically continuous protection and more importantly continuous detection solutions. They exist and they are surprisingly effective when combined with other solutions like sandboxing. Yes, we still need DDoS and traditional perimeter/endpoint security, but we cannot and most not rely exclusively on them. However, investing in detection is not a justification to weaken prevention. It is still far better to prevent.