When it comes to security, protection will fail. USB drives will be lost. Users will click on and respond to phishing messages. Malicious insiders will abuse their privileges to steal information and cause damage. Well-meaning insiders will accidentally delete data. Russia, China, organized crime and other traditional advanced persistent threats will compromise even the most sophisticated protection mechanisms. And all of that is OK.
What isn’t OK is to not expect failure and not plan for it by implementing adequate detection capabilities. Networks will be breached. There is no practical way to avoid that. But breaches are damaging only when they go undetected for extended periods of time.
All industries expect failure in their protection mechanisms and calculate that into their business model. Credit card fraud is calculated into interest rates, and companies have departments devoted to dealing with the expected incidents. Retailers plan for shoplifting, calculate that into their margins and incorporate it into their accounting practices. Restaurants accommodate wasted food in their pricing. They accept failure of protection as a cost of doing business and plan for it by accounting for the loss while implementing the appropriate detection and reaction capabilities.
For some reason, though, the computer security world looks at failure of protection as unacceptable. But the truth is that security doesn’t fail until the adversaries have achieved their goals.
As we argue in our upcoming book, Advanced Persistent Security, security is a triad: protection, detection and reaction. While that is a military concept — an application of defensive information warfare principles, now more commonly referred to as cyber network defense (CND) — it applies to all civilian and commercial security programs as well. It is a fundamental acknowledgment that security is more than stopping bad people from getting in and preventing insiders from causing damage.
Let’s say that North Korea decides to get into Sony’s systems. Is it reasonable for Sony to assume that a state that devotes considerable resources to cyber offense would not find some way into such a vast network? The breach is acceptable — nearly inevitable, in fact. What is not acceptable is to fail to detect the exfiltration of movies, emails, sensitive data files and more. Similarly, once China set its sights on the U.S. Office of Personnel and Management systems, infiltration was pretty much assured. But it is not acceptable for the undetected attackers to be allowed to dwell on the network for more than a year while exfiltrating 21 million records.
All too often, detection is an afterthought. A lot of planning and money go toward hardening protections, and then an intrusion detection system or a security information and event monitoring system is tacked on. It’s not enough. Detection strategy and architecture have to be the equal of protection strategy and architecture.
If most organizations were already treating protection and detection equally, attackers would not be spending an average of 200 days inside target systems or networks before being detected. More than six months is plenty of time for adversaries to fully achieve their goals, plus explore, define new goals and find new targets.
Don’t misunderstand. As essential as detection is, it is not necessarily a fail-safe. But the sooner a breach is detected, the sooner you can mount a defense and stop adversaries from achieving their goal, or at least minimize the damage. And even if there is damage, at least you will have insight into what happened. You’ll be in a better position to deal with fallout from the current breach and to combat the next inevitable breach.
Any knowledge you can gain is to your advantage. Consider the Hillary Clinton campaign. In the wake of the hacking of the Democratic National Committee and various DNC leaders, the campaign would really like to know what exactly was stolen. If it knew what potentially damaging information was pending release, it could prepare a response.
And by the way, detection can help out in cases that don’t involve malicious adversaries. We know about a vendor employee who submitted a formal proposal by pressing “Reply All” to a message from the customer — with all of the vendor’s competitors copied. With good detection architecture, the vendor would have known about that misstep early on, giving it an opportunity to modify its proposal before the deadline.
Admittedly, when an adversary compromises protection, the required response is a diversion of resources and a theoretical loss. However, this is a completely different scope of loss than having to deal with the adversary accomplishing its goal and inflicting purposeful damage. Turning back an adversary after a breach can only be done when there is an effective detection program in place, which then kicks off the last part of the triad: an effective reaction program.