A few years ago, the cybersecurity industry adopted a new mindset that went something like this:
- Cybersecurity controls are not very effective.
- Therefore, sophisticated cyber-adversaries can easily circumvent them, compromise networks, and execute data breaches.
- Hence, trying to prevent attacks is essentially a fool’s errand, so organizations should concentrate on incident detection and response.
This line of reasoning was supported by an overly simplistic axiom that spread like wildfire in the industry: "There are two types of organizations. Those that have been breached and those that have been breached and don’t know it."
Now, I admit there was and still is some truth to these assumptions. Lots of security technology staples were porous in the past as they were designed to address known rather than zero-day threats. Furthermore, networks tended to be relatively flat and wide open for attack.
With these shortcomings, many organizations shifted spending and focus to new technologies designed for threat detection like malware sandboxes, UEBA, EDR, network security analytics, etc. So, what happened? Firms were soon overwhelmed by disconnected technologies, mountains of new security data, and a cacophony of security alerts. Alas, many organizations realized then that they had neither the staff nor the skills to fully utilize this threat detection technology. Oh, and the pervasive cybersecurity skills shortage probably means that this situation won’t change anytime soon.
To me, there are two problems here: 1) Security controls are ineffective so an inordinate amount of bad stuff gets into the network, and 2) Threat detection is too noisy and complex.
Fortunately, there may be a change in the air. Cybersecurity technology vendors are introducing a wave of technologies for what I call advanced threat prevention. These tools do a much better job of blocking exploits, attack vectors, and malware while greatly reducing the attack surface. This in turn has the derivative effect of decreasing threat detection noise and complexity.
As these technologies arrive and mature, leading organizations will make 2018 a year of advanced threat prevention by deploying technologies such as:
- Next-generation endpoint security software. The big technology advances here were the addition of real-time analytics and machine learning algorithms for malware detection/blocking. These innovations translate to much higher efficacy for detecting/blocking all types of threats. Cylance really disrupted the endpoint security market with machine learning a few years ago. Since then, others like CrowdStrike, McAfee, Sophos (Invincea), Symantec, and Trend Micro have introduced similar functionality. CISOs will move rapidly in this direction next year.
- Threat intelligence gateways. I’ve seen a consistent effort to operationalize threat intelligence over the past few years but this can be hard work. Threat intelligence gateways (i.e., Centripetal Networks, Ixia, LookingGlass Networks, etc.) have the potential to transform this labor-intensive practice by scoring threats and then blocking volumes of them at the network perimeter. Why not do this with tried-and-true network firewalls? Because they are incapable of tracking/blocking the volumes of threats that purpose-built threat intelligence gateways can.
- Secure DNS. Closely related to threat gateways, secure DNS services are designed to track and block malicious domains, zones, and associated IP addresses without any effort on the user’s part. OpenDNS is the big kahuna here but others including Comodo, Infoblox, and Neustar offer similar services. Note that there are many free secure DNS service offerings including the recently announced Quad9 from IBM and others.
- Micro-segmentation. Technologies like Cisco ACI and VMware NSX took the concepts of firewalling, ACLs, and network segmentation and married them to the simplicity of software-based policy management and enforcement. Others (Illumio, vArmour, Shield-X, etc.) offer similar multi-platform functionality. CISOs will use these technologies more ubiquitously and beyond the data center in 2018 to greatly reducing the overall attack surface.
- Intelligent application controls. I’m thinking here about tools that profile applications, determine a baseline of normal activity, and then either alert when things go haywire or block activities that appear to represent anomalous/suspicious behavior. Edgewise, VMware AppDefense, and ThreatStack come to mind here.
While there’s really no such thing as, "set-it-and-forget-it" security technology, these tools don’t require as much constant care and feeding as legacy security controls or monitoring or analytics systems. This means that CISOs won’t need an army of staffers, months of deployment/customization, and weeks of staff training to benefit from these investments.
Remember the old joke about the two guys who try to outrun a bear. The first guy says that it’s useless as bears are much faster than people. The second one responds, “I don’t have to outrun the bear, I just have to outrun you.” In cybersecurity, cyber-criminals, hacktivists, and state-sponsored cyber-adversaries are the bears. Advanced threat prevention isn’t a panacea, but smart CISOs will use them to stay ahead of other organizations that rely on elementary security controls and maintain appetizing and wide-open attack surfaces.