Now that the midterm election season is over in the US, I've been thinking about how security teams could benefit from their own checks-and-balances model. For more than two centuries, this approach has worked successfully in government. Why not use checks and balances to ensure that all the pieces of a security program work in concert to improve a company's overall defense posture.
Within the US government, the system of checks and balances ensures that no single branch -- legislative, executive, or judicial -- can assume too much power, while keeping each branch accountable to the others.
Security programs also consist of three branches. Prevention pertains to stopping threats from entering the network. Detection is about finding hidden threats that make it past preventive controls. Response involves containing damage following a breach and putting in place mitigation controls to prevent a similar breach from occurring.
Historically, enterprises have dedicated the majority of resources to prevention, giving this one branch of security power at the expense of the other two. Unfortunately, that power has not translated into better security. Preventive controls do fail and, as zero-day threats are proving with increasing regularity, it is vital that enterprises consider all three branches of their security program for a holistic approach to threat defense.
That's where a system of checks and balances comes in. It would require enterprises to rethink their approach to security. Traditionally, we think about prevention, detection, and response as a vertical stack. We have to start thinking about the security stack horizontally and bi-directionally. In this case, each control continually feeds and improves the others.
Inside the network
Let's assume that a device inside the network downloads a piece of unknown malware that has gotten past preventive controls. Through network monitoring and analysis (detection), you can determine that the malware is malicious. However, you don't know whether the device is infected.
With the proper visibility into the device, you can determine whether the specific file has been executed. If so, you can obtain the history of the infection. This information can be handed off to the response team to enable rapid containment and mitigation.
Outside the network
Now assume a device outside the network becomes infected. When that device connects to the network, it brings with it a zero-day infection. A threat actor outside the network is controlling the device inside the network. Network monitoring exposes the malicious behavior and command-and-control activity. The malicious file is not detected, but the overwhelming evidence points to infection.
Once again, with the proper visibility into the endpoint, you can gather further information. You can examine the infection processes and determine which executable they came from and the original download that caused the infection. The team can have all this information to respond effectively and efficiently to the infection.
In both of these scenarios, the preventive controls fail, as they so often do. However, the continuous exchange of information across the security stack helps ensure rapid detection and an efficient response. Just as no form of government is perfect, no security program will ever be 100% breachproof. But approaching security holistically, with the proper checks and balances in place, can help strengthen the entire program -- and with measurable results.
Want to find out how the security industry can Turn The Tables on Attackers? Read a new Dark Reading blog from Amit Yoran, RSA's new president.