Mind the Gap, Avoid the Prevention Paradox
The more focus a company puts on prevention of cyber-attacks, paradoxically, the more unsecure it becomes. In an environment where a heavy prevention strategy is used the dwell time of attackers can be indefinite. This episode of Dark Rhino’s Security Confidential focuses on the Prevention Paradox and how to avoid it. There are three pillars of cybersecurity: prevention, detection, and response. There is a tendency, for companies, to focus extensively on prevention. In the SANS sliding scale of cybersecurity prevention is at the forefront with detection and response more to the right on the scale. Many a company following the SANS Sliding Scale end up with extensive focus on prevention for a host of reasons which are discussed. Prevention can take several forms, one of the most common being the use of endpoint protection tools like Next Generation Anti-Virus (NGAV). The advances made in these tools have been significant over the past many years with the incorporation of artificial intelligence with machine learning into their detection engines. These advanced technologies are not enough. Why?
There are three levels of unknowns as one climbs the Pyramid of Pain. There are: known-knowns, unknown-knowns, and unknown-unknowns. Known-knowns are easy to deal with it. Their signatures are known and their exploits well documented. Unknown-knowns are a bit tricker but with behavior detection through machine learning in NGAV they can be handled with great effectivity. The unknown-unknowns are the most difficult to deal with and they are at the pinnacle of the pyramid of pain. They make use of novel tools, tactics, and procedures (TTPs) that are not yet within the grasp of detection through automation or pattern recognition. The uncovering of attacks based on novel TTPs is not within the domain of a vendor and requires proactive human based threat hunting. This is best evidenced in recent times by the exploitation of the Solarwinds vulnerability with Sunburst. The TTPs used were so advanced that Fireye and the US Federal Government could not detect the attack with the plethora of tools, processes, and technologies they had in place for their cyber defense. It was only detected by human intelligence.
The more focus that is put on prevention the more data becomes available to attackers on the methods of prevention. They keep testing cyber defenses and are able to come up with alternative methods to by-pass those defenses. On the part of the defender, the belief is that they are well protected, and they may not readily realize their methods have been compromised and thus allow indefinite dwell times on the part of the attacker. This is the prevention paradox. The panelists, Manoj Tandon, Chris Gerritz, and Tyler Smith discuss the prevention paradox. Both Chris Gerritz and Tyler Smith are ex US Military. With Chris Gerritz spending his service time in the US Air Force. It was in the US Air Force that the term “The Prevention Paradox” was coined. It has not been extensively talked about till now.
The panelists discuss much an organization can do to avoid the prevention paradox. The first thing that must be done is a distinct separation of the detect and response tools from the endpoint protection tools must be had. It is very tempting to have a single vendor for detection, response, and endpoint protection. Many organizations use one vendor for protection, detection, and response. This causes organizations to fall into the prevention paradox. Layering in the Dark Rhino Security’s Six Sigma based Iπ&r process for detection and response, which utilizes the underlying technology of Infocyte, enables rapid analytics-based hypotheses to be formed and tested rapidly across the entire network further prevention the Prevention Paradox.
The Video Cast of the webinar https://youtu.be/A_3K86tKOxY
Panelists: Manoj Tandon, Chris Gerritz, Tyler Smith
