Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

01:00 PM
Brian Foster
Brian Foster
Connect Directly
E-Mail vvv

Rethinking Security With A System Of 'Checks & Balances'

For too long, enterprises have given power to one branch of security governance -- prevention -- at the expense of the other two: detection and response.

Now that the midterm election season is over in the US, I've been thinking about how security teams could benefit from their own checks-and-balances model. For more than two centuries, this approach has worked successfully in government. Why not use checks and balances to ensure that all the pieces of a security program work in concert to improve a company's overall defense posture.

Within the US government, the system of checks and balances ensures that no single branch -- legislative, executive, or judicial -- can assume too much power, while keeping each branch accountable to the others.

Security programs also consist of three branches. Prevention pertains to stopping threats from entering the network. Detection is about finding hidden threats that make it past preventive controls. Response involves containing damage following a breach and putting in place mitigation controls to prevent a similar breach from occurring.

Historically, enterprises have dedicated the majority of resources to prevention, giving this one branch of security power at the expense of the other two. Unfortunately, that power has not translated into better security. Preventive controls do fail and, as zero-day threats are proving with increasing regularity, it is vital that enterprises consider all three branches of their security program for a holistic approach to threat defense.

That's where a system of checks and balances comes in. It would require enterprises to rethink their approach to security. Traditionally, we think about prevention, detection, and response as a vertical stack. We have to start thinking about the security stack horizontally and bi-directionally. In this case, each control continually feeds and improves the others.

Inside the network
Let's assume that a device inside the network downloads a piece of unknown malware that has gotten past preventive controls. Through network monitoring and analysis (detection), you can determine that the malware is malicious. However, you don't know whether the device is infected.

With the proper visibility into the device, you can determine whether the specific file has been executed. If so, you can obtain the history of the infection. This information can be handed off to the response team to enable rapid containment and mitigation.

Outside the network
Now assume a device outside the network becomes infected. When that device connects to the network, it brings with it a zero-day infection. A threat actor outside the network is controlling the device inside the network. Network monitoring exposes the malicious behavior and command-and-control activity. The malicious file is not detected, but the overwhelming evidence points to infection.

Once again, with the proper visibility into the endpoint, you can gather further information. You can examine the infection processes and determine which executable they came from and the original download that caused the infection. The team can have all this information to respond effectively and efficiently to the infection.

In both of these scenarios, the preventive controls fail, as they so often do. However, the continuous exchange of information across the security stack helps ensure rapid detection and an efficient response. Just as no form of government is perfect, no security program will ever be 100% breachproof. But approaching security holistically, with the proper checks and balances in place, can help strengthen the entire program -- and with measurable results.

Want to find out how the security industry can Turn The Tables on Attackers? Read a new Dark Reading blog from Amit Yoran, RSA's new president.

Brian Foster brings more than 25 years of successful product management and development experience to Damballa. Recently, he was SVP of product management for consumer security at McAfee, where he directed the strategy and development of consumer and mobile security ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/20/2014 | 10:01:47 AM
Re: Prevention is ideal but detection is a must!

The comments referred to were not arguments, they were statements stressing the need for what you call the "fusion center". They were a reiteration of the fact that all facets need to be acknowledged not just one and the loop needs to be constant and refined on a regular basis.
User Rank: Author
11/18/2014 | 4:52:46 PM
It's all about the feedback loop
Andre Gironda is spot on (see his comment below). It's not enough to just implement prevention, detection and response in silos. In order to truly get ahead of these threats, and stop feeling like you're on a hamster wheel, you must share intelligence in a feedback loop across these technologies, so you don't continue to leave the same vulnerabilities open. We'll try to go even more in-depth on some of these examples in future posts. 
User Rank: Strategist
11/18/2014 | 4:06:10 PM
Re: Prevention is ideal but detection is a must!
Prevention is not ideal and detection, like prevention are, of course, must-haves.

I don't understand the arguments in the comments. What the author was trying to convey is that we need feedback loops between the protect, detect, and respond capabilities of a cyber risk program. I call this the "fusion center".
User Rank: Ninja
11/18/2014 | 3:34:00 PM
Re: Prevention is ideal but detection is a must!
I agree that detection is a must. At the same time, incident response is also critical. The malware responsible for the Target breach WAS detected early on. Unfortunately, their incident response strategy failed, and they got breached. End of story.
User Rank: Ninja
11/18/2014 | 1:59:44 PM
Re: Prevention is ideal but detection is a must!
Good analogy. I think a layered approach is definitely a powerful security approach. It also may be a good idea to keep these layers inconsistent. By this I mean the mechanisms that are used between Prevention, Detection, and Remediation in correlation to IDS/IPS, Firewall, Anti-virus, and baseline cannot have similar mechanisms for deterrence. An article was done on Dark Reading earlier this year from Blackhat states that a consistency would make the layers easier to compromise. If one layer was compromised, another layer with similar mechanisms would also be in danger. It sounds counter intuitive but a layered-consistent approach riddled with inconsistency is best.

Consistency of Process

Inconsistency of Mechanisms
Robert McDougal
Robert McDougal,
User Rank: Ninja
11/17/2014 | 1:50:36 PM
Re: Prevention is ideal but detection is a must!
In today's security landscape I see prevention, detection, and response being treated as a layered filtering approach. Think of prevention like a piece of fine screen door, it will prevent the majority of bugs that attempt to get through. However, this layer has a problem in that it is only able to block those bugs that it is aware of, if a bug is small enough it can slip through undetected. This is where detection comes into play, monitoring everything inside the house for anything out of the normal. Why is Uncle Henry sneezing? We should take a look at that. Finally, you get to response which is after realizing Uncle Henry has a cold, you have to get him well and find and fix the hole in the screen door that let the bug inside in the first place.

Or Henry could have brought the bug in with him....
User Rank: Ninja
11/17/2014 | 7:26:31 AM
Prevention is ideal but detection is a must!
As the saying above goes, it is mission critical to ensure that if anything has infiltrated your network that you have the ability to detect and mitigate the risk. Prevention is just one piece of the puzzle as stated in the article and definitely has failed in the past due to a myriad of reasons. Same with the other two pieces but our faith in prevention has clouded us in some ways to the fact that its probably one of the less crucial of the branches. Prevention is ideal for any network however I believe that this ideal notion is riddled with inconsistency. Most if not all networks have been infiltrated in one way or another I believe. Whether this has been detrimental or not to this point is irrelevant, its our job to ensure that we are able to find these threats and eliminate them quickly and efficiently. For that we need to place more weight on the other two branches just as this article denotes. Tools such as IDS, anti-virus, and baseline analyzers can help in this regard. Other thoughts on how to put more emphasis on the other two branches.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.