There has always been a dichotomy between incident prevention and incident detection/response. Prevention centers around a potpourri of security controls designed to block bad things from happening. Firewall rules, IDS/IPS, and endpoint AV software fit in this category. Alternatively, CISOs must prepare for the worst and assume that cyber adversaries will circumvent their castles, gates, and moats. This means that large organizations also need processes and tools to detect and respond to anomalous/suspicious activities.
In the past, security professionals tended to focus most of their efforts on the prevention side of the street. In 2012, ESG research found that a typical enterprise organization spends about 67% of its resources on prevention and the remaining one-third on detection/response.
Given the wave of targeted attacks that began with Google/Aurora, it seems that our existing incident prevention controls aren’t working very well. This has caused some in the industry to declare that incident prevention is essentially “dead” (author’s note: Personally, I hate this old analyst “go-to” trick. Declare something as “dead,” stir up passion and industry debate, get into point/counterpoint discussions, etc. Very cliché). These folks say it’s time to move on from incident prevention and invest heavily on the detection/response front.
So where do I stand on this emotional issue? I agree and disagree. To be more succinct, I agree that it’s time to push on incident detection/response skills development and technology investment. That said, I’m not ready to throw the incident prevention baby out with the bath water just yet. In fact, I suggest the opposite approach. Rather than divesting incident prevention resources, I think we need to move on to a new approach that ESG calls “advanced prevention” defined as follows:
An incident prevention strategy composed of security policies, processes, and automated controls designed for blocking threats targeted at specific organizations, individuals, and industries.
To be clear, advanced prevention isn’t really something new or unique. We will still use the same basic policies, processes, and controls we always use. So what’s new? Well, security controls are often implemented in a very generic fashion based upon standards like ISO 27000, NIST-800, or the SANS top 20. Advanced prevention builds upon these tried-and-true standards with customized tweaks designed to block targeted attacks.
Why move in this direction? Rather than answer this directly, I strongly urge readers to take a look at the 2014 Verizon Data Breach Investigation Report (page 15, figure 19, frequency of incident classification patterns per victim industry). This chart provides a warning sign on an industry basis indicating that the bad guys have very different attack patterns for different industries and organizations. If you are the CISO of a hotel chain, you need to be on full alert for POS intrusions. If you are a security manager of a bank or IT vendor, watch out for web application attacks. Health care security bosses should be on guard for loss or theft of sensitive data. This one chart should be on every CISO's desktop.
In summary, “advanced prevention” is simply doubling down on prevention controls customized for the threat landscape based upon an organization’s size, location, and industry. So regional banks should be focused on web application and “inside-out” application security controls from vendors like Imperva, RiskIQ, and Veracode. Retailers should look at application controls from Bit9 or Palo Alto Networks, endpoint firewalls, network segmentation, and endpoint forensics from Guidance Software, RSA, and Tanium. Health care should invest in enterprise encryption from Vormetric or DLP from firms like Verdasys.
Two other quick points:
- Advanced prevention depends upon extremely accurate and timely industry-specific threat intelligence from vendors like BitSight, Norse, and Vorstack.
- Advanced prevention will work best if it is based upon automation. When real-time security intelligence discovers a new industry threat, it immediately triggers automated adjustments to security controls like firewall rules, IDS signatures, application controls, etc. Think “self-defending networks” a la Cisco.