New Model Emerges for Information Security Operations

New Model Emerges for Information Security Operations blue
March 14, 2014 / Jeffrey Guy

There is a common, defeatist theme in many information security shops today: “the attacker has the advantage.”

This is nonsense.

The attacker has the advantage up until the moment of compromise. He chooses the time, place and shape of the attack. However, once his code is running inside your network, the advantage shifts. He is in your house, on your terrain, and has to operate within your constraints. The only reason he had the advantage previously is because you gave it to him.

The model for information security operations is rapidly changing. New guidance and technologies are emerging to shift this balance of power dramatically from attacker to security professional.

Our Industry Today
Information security programs have traditionally focused on preventing compromise of systems. The increasing volume of targeted attacks repeatedly demonstrates the inevitability of compromise, painfully exposing the immaturity of our industry’s detection and response capabilities. Attackers compromise organizations in seconds and remain undetected for months, remediation takes weeks and it costs an average of $341K in forensics costs alone.

This is unsustainable.

The ineffectiveness of signature-based antivirus and the expense of incident response are well known to industry veterans, but there have been few enterprise-class alternatives. More importantly, the “best practices” security program guidance from NIST, ISACA and ISSA does not recognize the inevitability of compromise. The result? A CISO has neither enterprise-class products nor generally accepted best practice guidance on how to deal with that inevitability.

There is good news, however: both guidance and supporting technology are emerging.

We describe an operational lifecycle of prevention, detection and response as an integrated, continuous process. Following the recent merger of Bit9 and Carbon Black, our products offer exactly that.

Bit9 + Carbon Black supports prevention, detection and response as a single, integrated
and continuous process.

cycle2Gartner describes an “Adaptive Security Architecture” of prediction, prevention, detection and response as a continuous, integrated process. NIST’s new Cybersecurity Framework for Critical Infrastructure Protection describes identification, protection, detection, response and recovery as “the five key cybersecurity activities at their highest level.”

The terminology is changing, but the underlying message is the same: The emerging model shifts information security from a static deployment of signature-based antivirus to an operational model with detection and response as a continuous process.

It’s a brave new world.

How does this new model differ? Let’s look at the three core activities individually.

Enterprises are complicated. We have thousands of desktops, laptops, servers and other devices attached to the network, each with a different required security posture. Your developers will require very flexible preventions, your executives need flexible but conservative preventions and your core servers require very tight prevention controls.

Despite this wide spectrum of required security postures, we have only one endpoint security solution: signature-based antivirus and its one-size-fits-all solution. AV not only forces you to deploy the same solution to all of your endpoints, regardless of the required security posture, it also requires you to use the same signature database as everyone else.

Emerging prevention must:
1) Not be dependent on signatures
2) Enable you to tailor the prevention to suit your needs
3) Enable local adjustments to the security policy

What form should this new, signature-less, tailored prevention take? At Bit9 + Carbon Black, we believe a default-deny policy for all code execution provides the best possible prevention.

Consider history: When we first started deploying firewalls at our network perimeters in the early to mid-90s, we did it to block the known-bad IPs and ports protocols. We rapidly discovered that blocking known-bad IPs evolved into a game of Whac-A-Mole, with attackers moving faster than defenders. As a result, the generally accepted best practice for firewalls became a policy of default-deny: only allow what communications administrators specifically permit.

Compare this to our experience on the endpoint today: We are currently playing the same Whac-A-Mole game with attackers, but we have not yet recognized the lessons of history and implemented default-deny policies. When pressed, most organizations say “it’s too hard,” but we said the same about network security 20 years ago.

Traditional endpoint detection relies on the same signature database used to prevent attacks. Its efficacy is limited to the capabilities of the vendor you’ve deployed at the moment of compromise. If your vendor’s signature database is out of date, your detection is defeated.

It’s past time for the cloud to be applied to detection. There is an entire sub-industry that provides threat data to enterprises, but consuming that data has been, until now, incredibly challenging in most enterprises. The efficacy of your detection should not be limited to the opinion of a single vendor, but instead the consensus opinion of the entire threat-data industry.

Most mature enterprises implement an incident response plan, such as NIST 800-61. However, every single incident response plan’s recommendations to prepare for a breach are limited to administrative measures: roles, responsibilities, communication plans, etc. The only technical recommendations are to have a forensic imaging kit packed and ready to go.

Traditional incident response consultants rely heavily on memory and disk artifacts to reconstruct the attack timeline. They do not use these artifacts because they are the best source; they use them because they are the lowest common denominator and available on every engagement.

If you recognize the inevitability of compromise and want to prepare for incident response, why limit preparations to administrative measures and accept the lowest common denominator of technical resources?

Bit9 + Carbon Black’s always-on sensor acts as a surveillance camera for your computer. It records the key indicators incident responders need, and enables everyone on your staff—even the intern—to complete incident response in seconds.

I encourage you to adopt this new, emerging model for information security, whether you choose Bit9 + Carbon Black or not. Push beyond static antivirus and demand products that recognize information security is a continuous process.

TAGS: bit9 / Carbon Black / detection / Gartner / info security / JJ Guy / Prevention / Response / Security Model

Related Posts