Perimeter
6/12/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Detection Trap: Improving Cybersecurity by Learning from the Secret Service

Intruders often understand the networks they target better than their defenders do.

It's surprisingly easy to break into the White House grounds — in March, someone slipped over the fence and roamed the compound before being caught. Nevertheless, the White House is still the most secure public space in the world, because whether they get tackled on the lawn, arrested at the front door, or stopped at the stairs to the residence, intruders consistently get caught before they reach the president.

Contrast this with how we protect the high-value assets in our data centers. Despite a $75 billion-a-year cybersecurity industry, attackers are still able to not only break in but to hide for months or years inside without being discovered. This is called dwell time, and the current average is about 146 days. For comparison, the White House break-in lasted about 17 minutes.

Dwell time is the most critical measure of network security, because any intruder with time to explore a network will almost certainly find a high-value target and cause serious damage. It is also the most striking distinction between physical security — where dwell time is generally short — and computer security. The Secret Service can permit a porous border because their understanding and control of the White House lets them focus on catching intruders after only a few moments inside.

The march of recent breaches has been typified by the failure to detect intruders, or overworked security teams that missed alerts even when their detection worked. Security teams today are laser-focused on this problem and are doubling down on detection to solve it. This is the right problem to solve, but focusing on detection as the solution is a trap. The real problem is that intruders often understand the networks they target better than their defenders do, giving them a tremendous advantage.

The Defender's Advantage
Throughout history, defenders' greatest advantage has been their ability to choose and control their ground. The Secret Service knows every nook and cranny of any location where the president appears. This is why dwell time for intruders inside the White House is so short: they're on the defender's home turf, and every step could be their last.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

On the network, defenders have largely ceded this advantage, because most don't know what their environment looks like. If security teams don't know how their applications operate across their infrastructure, they don't have control. If they have an outdated picture of their infrastructure (your network six weeks ago isn't the same as your network today) or they don't know what is connected to their network, they don't have control. And if they're missing critical information, such as which infrastructure is running their most critical applications, they don't have control.

Why are defenders in this mess? Networks are much more complicated and dynamic than the physical world, but they're also far easier to monitor. It's a problem that screams out for artificial intelligence, machine learning, and a string of other cutting-edge buzzwords. But most of these efforts are still focused on detection: catching bad guys in the act, not understanding and controlling the environments in which they are acting.

The good news is that understanding our networked environments is doable. The problem is we've been pointing our human analysts at computer-scale problems and our computers at human problems. Again, we can learn a lesson from the Secret Service.

Secret Service agents have decades of training under their belts and are optimized to solve the hardest problems: they must decide in a split second whether someone in a crowd is reaching for a gun, a protest sign, or just a cellphone. They must distinguish between someone having a bad day and someone plotting an assassination. They must separate an exercise of free speech from a destructive plot.

But Secret Service agents are also the scarcest and most expensive resource the agency has — those decades of training don't come cheap. So the Secret Service doesn't use agents to solve all their problems. Much of the Secret Service's effort is focused on solving simpler problems before they reach their agents, so those agents can focus on the hardest ones. 

Think of your security team as your Secret Service agents. Expecting them to keep up with the constant dynamism of your network doesn't make sense. But on the network, every server, every virtual machine, every cloud instance, and every infrastructure device comes with a built-in sensor. If we could leverage this and keep up with changes in our environment, we could give our security teams the information they need to do what they are trained for: catch the bad guys.

To do this, we need automated systems, we need orchestration, and we need machine learning. But we need them pointed at the right things — the computer-scale problems that prevent us from understanding and controlling our environments. Understanding and control are how defenders have been successful for millennia, in all kinds of environments and circumstances. Our task isn't to throw out these lessons and start over; it's to learn from this experience and adjust our approach to account for our new environment.

Remember that fence jumper's 17 minutes inside the compound. He should never have gotten inside, nor should he have been able to spend so long before he was caught. But when he was stopped, there were still multiple layers of security between him and the president. This is because the Secret Service isn't caught by the detection trap. The Secret Service focuses on control first. Security based on control doesn't mean defenders won't make mistakes — there will always be mistakes. It means that defenders can make mistakes and still be secure.

Related Content:

As head of cybersecurity strategy, Nathaniel is responsible for thought leadership, public engagement, and overseeing Illumio's security technology strategy. Nathaniel is a regular speaker at leading industry events, and his writing has appeared in industry publications, the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stitzman
50%
50%
stitzman,
User Rank: Apprentice
6/13/2017 | 10:58:46 AM
Problem Solving
Because of the ever changing cyber threat landscape, and the pace at which our infrastructures are being attacked, using technology to assist our cyber defenders is an absolute requirement.  However, it's a very important distinction to remember that technology does not solve our problems.  PEOPLE solve problems.  Technology is just a tool.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/12/2017 | 11:28:03 AM
White House As Honeypot
I have always found it interesting the White House has had as many intrusions as seen on the news (and not), or even that some get as far as they do.  While it's easy to point to incompetence I rather like to see it as something else.  The White House acts as a honeypot.

You see, similar to how one might set up a sweet server that is begging to be compromised to see what flies are attracted the honey, I suspect the White House acts in a similar fashion.  For anyone who has stood outside the White House, there is an almost inviting accessibility to the grounds.  What better way to quickly assess who in the neighborhood has malicious plans than to present a honeypot like the White House?

Now, speaking of dwell time, those with budget could utilize this same concept to border their inner critical data with inviting honeypots that would attract both one-hit-wonders and dwellers.  The key is for those who would dwell, by sitting in the honeypot they are hurting themselves by providing extended time for InfoSec pros to find them and end their squatting reign.  Expense may come to mind, but I suspect the cost and maintenance of an ESX server with a host of VMs spun out to act as a honeypot shield would pay off more in the end for some companies than by just relying on automation.

Adding good automation to the mix would just seal the deal.  With honey.

 

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.