Enterprises spend a mind-boggling $76 billion each year to “protect” themselves from cyber-attacks, but the bad guys keep winning because most protection solutions are based on detection instead of prevention. The 2015 Verizon Data Breach Investigation Report highlighted over 2,100 breaches and the FBI claims that every major U.S. company has been compromised by the Chinese – whether they realized it or not.
What’s wrong? The answer is the same today as it was in ancient Troy when the Greek army suddenly disappeared, leaving behind an innocent-looking horse that the Trojans willingly brought inside the gates. The enemy had changed shape, avoiding detection. And so it is today: Verizon found that 70- to 90 percent of the malware used in successful breaches last year was unique to the attacked organization. Today’s detection-centric tools mistakenly assume that malware, or techniques used in an attack, will be used elsewhere. We read the results in the press and it isn’t pretty.
Detection is a flawed protection strategy
Detection will fail – with certainty. The proof dates back to Turing’s work in 1936 on the Halting Problem and Alonzo Church’s work on undecidable problems, meaning it is impossible to determine if code is malicious or not with 100 percent certainty.
Some security vendors claim to have developed “advanced threat detection” or “new math” but this is deliberately misleading; they are secretly delighted with the status quo. That’s because detection serves their commercial goals to advance a narrative that organizations are pitted against sophisticated foes whose subterfuge demands continued diligence and adaptation. They use this to absolve themselves of responsibility when detection fails, and to bolster the marketing appeal of their “next gen” products. There is “always a way in” and “no silver bullet.” Homilies don’t help.
Absurdly enough, these same vendors debase the language of security, promising to stop breaches, and secure the enterprise – when they cannot. Others, focused on remediation and forensics, sell the equivalent of cyber indulgences to absolve these victims of the sin of poor security practices.
Detection fails in two ways – with unexpected consequences:
- We all understand the obvious (and inevitable) consequence of failing to detect an actual attack - a “false negative” – that lets the bad guy in. An example is an IPS that cannot see inside encrypted TLS web traffic, given that more than 70 percent of attacks use TLS – as close an analogy to the Trojan Horse as one could want.
- Another, more prevalent failure mode is just as bad: State of the art IPS systems bury “true positives” in a haystack of (up to 1,000 times as many) false alarms. A recent Ponemon study found security teams investigate only 4 percent of alerts. Security teams scurry about remediating non-attacked systems, losing focus and wasting enormous time and money, and in the fuss may fail to notice signs of an actual attack. Last year’s breach of Target is a good example because they did not respond to the alerts.
Detection is a failed detection strategy (sic)
Building a good detector requires careful tuning with real-world attacks. But in today’s cyber-scape polymorphic and crypted malware changes shape hourly. It is impossible to adapt a detector at the same speed. Stated mathematically:
“[For malware of size n bytes] …The challenge … is to model a space on the order of 28n to catch attacks hidden by polymorphism. To cover 30 byte [malware] decoders requires 2240 potential signatures. For comparison there exist an estimated 280 atoms in the universe.”
Vendors that claim that detection is a tool to find compromised systems to “reduce dwell time” find that their detection tools are as poor at identifying successful attacks as they are at stopping them.
Detection is a failed strategy
The only viable alternative to detection is to make systems “secure by design.” Network micro-segmentation would have easily defeated the Target attack. Micro-virtualization enables endpoints to hardware-isolate each task that processes untrusted content, defeating each attack automatically. An architecture that rigorously enforces the principle of least privilege is widely recognized in the domain of human security – for example in intelligence work, and more widely in society.
The only way to survive in an untrusted world is to enforce least privilege and to never trust the untrustworthy. Hardware isolation transforms security, and server hypervisors and clouds, and micro-virtualized endpoints can both secure themselves and ensure that there is never any need to trust a detector.
As it turns out, in the context of resilient, self-remediating endpoints, it is possible to eliminate false positives, identifying actual attacks with uncanny precision – in other words, to deliver the needle to the security team, without the haystack.
[Read an opposing view favoring detection over prevention by Josh Goldfarb in Detection: A Balanced Approach For Mitigating Risk.]