Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

11/14/2014
01:00 PM
Brian Foster
Brian Foster
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Rethinking Security With A System Of 'Checks & Balances'

For too long, enterprises have given power to one branch of security governance -- prevention -- at the expense of the other two: detection and response.

Now that the midterm election season is over in the US, I've been thinking about how security teams could benefit from their own checks-and-balances model. For more than two centuries, this approach has worked successfully in government. Why not use checks and balances to ensure that all the pieces of a security program work in concert to improve a company's overall defense posture.

Within the US government, the system of checks and balances ensures that no single branch -- legislative, executive, or judicial -- can assume too much power, while keeping each branch accountable to the others.

Security programs also consist of three branches. Prevention pertains to stopping threats from entering the network. Detection is about finding hidden threats that make it past preventive controls. Response involves containing damage following a breach and putting in place mitigation controls to prevent a similar breach from occurring.

Historically, enterprises have dedicated the majority of resources to prevention, giving this one branch of security power at the expense of the other two. Unfortunately, that power has not translated into better security. Preventive controls do fail and, as zero-day threats are proving with increasing regularity, it is vital that enterprises consider all three branches of their security program for a holistic approach to threat defense.

That's where a system of checks and balances comes in. It would require enterprises to rethink their approach to security. Traditionally, we think about prevention, detection, and response as a vertical stack. We have to start thinking about the security stack horizontally and bi-directionally. In this case, each control continually feeds and improves the others.

Inside the network
Let's assume that a device inside the network downloads a piece of unknown malware that has gotten past preventive controls. Through network monitoring and analysis (detection), you can determine that the malware is malicious. However, you don't know whether the device is infected.

With the proper visibility into the device, you can determine whether the specific file has been executed. If so, you can obtain the history of the infection. This information can be handed off to the response team to enable rapid containment and mitigation.

Outside the network
Now assume a device outside the network becomes infected. When that device connects to the network, it brings with it a zero-day infection. A threat actor outside the network is controlling the device inside the network. Network monitoring exposes the malicious behavior and command-and-control activity. The malicious file is not detected, but the overwhelming evidence points to infection.

Once again, with the proper visibility into the endpoint, you can gather further information. You can examine the infection processes and determine which executable they came from and the original download that caused the infection. The team can have all this information to respond effectively and efficiently to the infection.

In both of these scenarios, the preventive controls fail, as they so often do. However, the continuous exchange of information across the security stack helps ensure rapid detection and an efficient response. Just as no form of government is perfect, no security program will ever be 100% breachproof. But approaching security holistically, with the proper checks and balances in place, can help strengthen the entire program -- and with measurable results.

Want to find out how the security industry can Turn The Tables on Attackers? Read a new Dark Reading blog from Amit Yoran, RSA's new president.

Brian Foster brings more than 25 years of successful product management and development experience to Damballa. Recently, he was SVP of product management for consumer security at McAfee, where he directed the strategy and development of consumer and mobile security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/20/2014 | 10:01:47 AM
Re: Prevention is ideal but detection is a must!
@andregironda

The comments referred to were not arguments, they were statements stressing the need for what you call the "fusion center". They were a reiteration of the fact that all facets need to be acknowledged not just one and the loop needs to be constant and refined on a regular basis.
BrianFoster
50%
50%
BrianFoster,
User Rank: Author
11/18/2014 | 4:52:46 PM
It's all about the feedback loop
Andre Gironda is spot on (see his comment below). It's not enough to just implement prevention, detection and response in silos. In order to truly get ahead of these threats, and stop feeling like you're on a hamster wheel, you must share intelligence in a feedback loop across these technologies, so you don't continue to leave the same vulnerabilities open. We'll try to go even more in-depth on some of these examples in future posts. 
andregironda
50%
50%
andregironda,
User Rank: Strategist
11/18/2014 | 4:06:10 PM
Re: Prevention is ideal but detection is a must!
Prevention is not ideal and detection, like prevention are, of course, must-haves.

I don't understand the arguments in the comments. What the author was trying to convey is that we need feedback loops between the protect, detect, and respond capabilities of a cyber risk program. I call this the "fusion center".
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
11/18/2014 | 3:34:00 PM
Re: Prevention is ideal but detection is a must!
I agree that detection is a must. At the same time, incident response is also critical. The malware responsible for the Target breach WAS detected early on. Unfortunately, their incident response strategy failed, and they got breached. End of story.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/18/2014 | 1:59:44 PM
Re: Prevention is ideal but detection is a must!
Good analogy. I think a layered approach is definitely a powerful security approach. It also may be a good idea to keep these layers inconsistent. By this I mean the mechanisms that are used between Prevention, Detection, and Remediation in correlation to IDS/IPS, Firewall, Anti-virus, and baseline cannot have similar mechanisms for deterrence. An article was done on Dark Reading earlier this year from Blackhat states that a consistency would make the layers easier to compromise. If one layer was compromised, another layer with similar mechanisms would also be in danger. It sounds counter intuitive but a layered-consistent approach riddled with inconsistency is best.

Consistency of Process

Inconsistency of Mechanisms
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
11/17/2014 | 1:50:36 PM
Re: Prevention is ideal but detection is a must!
In today's security landscape I see prevention, detection, and response being treated as a layered filtering approach. Think of prevention like a piece of fine screen door, it will prevent the majority of bugs that attempt to get through. However, this layer has a problem in that it is only able to block those bugs that it is aware of, if a bug is small enough it can slip through undetected. This is where detection comes into play, monitoring everything inside the house for anything out of the normal. Why is Uncle Henry sneezing? We should take a look at that. Finally, you get to response which is after realizing Uncle Henry has a cold, you have to get him well and find and fix the hole in the screen door that let the bug inside in the first place.


Or Henry could have brought the bug in with him....
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
11/17/2014 | 7:26:31 AM
Prevention is ideal but detection is a must!
As the saying above goes, it is mission critical to ensure that if anything has infiltrated your network that you have the ability to detect and mitigate the risk. Prevention is just one piece of the puzzle as stated in the article and definitely has failed in the past due to a myriad of reasons. Same with the other two pieces but our faith in prevention has clouded us in some ways to the fact that its probably one of the less crucial of the branches. Prevention is ideal for any network however I believe that this ideal notion is riddled with inconsistency. Most if not all networks have been infiltrated in one way or another I believe. Whether this has been detrimental or not to this point is irrelevant, its our job to ensure that we are able to find these threats and eliminate them quickly and efficiently. For that we need to place more weight on the other two branches just as this article denotes. Tools such as IDS, anti-virus, and baseline analyzers can help in this regard. Other thoughts on how to put more emphasis on the other two branches.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...