Partner Perspectives  Connecting marketers to our tech communities.
3/4/2016
08:00 AM
Michael Sentonas
Michael Sentonas
Partner Perspectives
50%
50%

Protection Is Necessary, But Not Sufficient

It's time to move the conversation beyond malware and point defenses and onto dealing with breaches in their entirety.

Not much protection in life is guaranteed 100% effective. Airports and airlines around the world have introduced a range of preventative protection measures, from the airport entrance to the perimeter, from passenger screening to baggage X-rays. But they do not rely on these alone, also employing extensive training and planning so that they can detect and respond quickly if something goes wrong.

In digital security, I have heard many times that companies need to move from detection to prevention, that they need to stop all threats rather than detect and respond. Unfortunately, the only way to prevent all threats is to completely isolate each of your systems from any type of interaction with another. If you need communications and data exchanges to operate your business, then you need a breach detection strategy.

Is prevention better than detection? Of course; if you can stop attackers before they get into your systems you should, and preventative devices are an important component of any security strategy. The debate is not prevention or detection; it is whether adding the latest prevention widget is sufficient.

Central to this debate is your security strategy: malware defense or breach defense? Defending against malware is necessary, but not sufficient. Since all security threats are not similar, and all breaches are not equal, no amount of next-generation defense widgets is going to stop every threat. And if something does get through, you need the ability to quickly detect and contain the attack.

On The Offensive

Let’s look at some examples. Many security defenses use anti-malware devices that leverage a variety of techniques, including signature detection, heuristics, reputation models, sandboxing, what everyone now calls math, and various proprietary algorithms. While these techniques are all generally effective, they will miss some threats such as attacks that leverage stolen credentials, misconfigurations, unpatched vulnerabilities, unknown attack types, and rogue insiders. Your cybersecurity strategy, just like a physical security strategy, cannot play only defense. You must also have the tools and plans to deal with a breach.

Detection plays a much larger role in reducing your exposure than just an additional malware scanner. A complete detection strategy looks at breaches as an end-to-end issue. With malware likely already in your organization, industry analysts agree that the lion share of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020. Detection is vital to reduce your time to detect and recover from a breach.  

Instead of simply looking for malware signatures, detection tools monitor data access and movement, looking for unlikely activity and suspicious correlations. They also provide critical actionable and forensic information when something gets through, as well as information on who was affected by it, what data is at risk, and how to contain it. Without this detection capability, it is like having a car mechanic or doctor tell you that something is wrong, but leaving it to you to identify and implement a fix or cure.

The cybersecurity industry has spent a lot of energy arguing about best-of-breed, signature versus algorithmic malware defenses, and whose sandbox is the most difficult to evade. However, cyberattacks have reached the point where, like with castles and gunpowder, a sophisticated attack can win against a purely defensive position. So it is time to move the conversation beyond malware and point defenses and onto dealing with breaches in their entirety. This requires us to evolve as an industry. We need to focus on greater intelligence sharing, communicating and collaborating across multivendor systems, and focusing on the whole problem -- protecting data and digital assets, detecting vulnerable devices and abnormal behavior patterns, and rapidly containing breaches. Anything less leaves you too exposed. 

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I agree with you! 
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.