Scott Simkin wrote an interesting post about How Do You Define Prevention? that I would like to share.
“In discussions about cybersecurity, a word that gets used a lot is “prevention.” How do you prevent cyberattacks before they succeed? Will the cybersecurity measures currently in place offer the prevention of losses due to a cyberattack? What part of an attacker’s playbook does prevention actually stop? These are important questions that security teams continue to struggle with, as security vendors of all stripes have been promising their particular approach to cybersecurity will prevent cyberattacks for years.
But cyberattacks continue to plague organizations, and the number of successful breaches is rising. According to the New York State Attorney General’s office, breach notifications issued in 2016 are already 40 percent higher this year than they were at the same time last year. So if the security marketplace is full of solutions that are supposed to “prevent” cyberattacks, why are so many attacks still succeeding?
In my opinion, it’s a question of evolution. Cybersecurity is an area that requires constant change from a defense perspective, with novel malware, attack techniques and vulnerabilities attempting to evade ever-advancing security controls. This back-and-forth game has played itself out for years now, but the number, scale and sophistication of attacks has sped up in the past four years. Compounding the issue is that many legacy cybersecurity technologies still in use were originally created to stop yesterday’s cyberattacks methods and are incapable of finding and stopping what is seen in the real world today. In a recent survey on cybersecurity prevention conducted by the SANS Institute, 85 percent of respondents indicated that, while they’ve implemented technical measures to preventively block known malware, less than 40 percent consider these measures to actually be preventive.
Furthermore, most legacy cybersecurity solutions were developed to address one specific security issue. As new threats arose, vendors would create and market other single point solutions to address it, resulting in most customers having an ad hoc collection of security devices from multiple vendors, each working independently of the others, to identify and stop inbound cyberattacks. This approach leaves many gaps in an organization’s security posture that adversaries can take advantage of, as well as requiring more resources to orchestrate the different, competing technologies.
So if legacy cybersecurity technologies aren’t actually preventing cyberattacks, why do we keep describing such solutions as “preventive”? It’s time to adopt a new definition for the word “prevention” when it comes to cybersecurity.
New or next-generation prevention should stop focusing on trying to stay on top of a constantly changing pool of malicious tools and start focusing on the underlying techniques employed by threat actors, such that blocking a single technique could stop an entire class of attacks. The fact is that, while malware and other tools are growing in number daily, the ways cyberattackers use to deliver threats (spear phishing or stealing legitimate credentials, for example) haven’t changed nearly as significantly. In light of this, wouldn’t it be more efficient to focus on stopping the methods used to deliver threats, rather than the threats themselves?
Next-generation prevention should also be automated. As mentioned above, the number of cyberattacks is increasing daily, so much so that many security teams cannot keep up with the many alerts their legacy solutions provide about potential breaches. Even more frustrating, these alerts typically don’t contain much context around the malware infection: How serious is it? What is it trying to do? Is the malware designed to target a specific industry? Without that information, it’s difficult to determine just how significant an attack is and how much attention it warrants from the security team. When automation is properly applied, attacks can be identified and prevented by the system, without needing human intervention. Systems can contribute to collective immunity by sharing intelligence about newly discovered threats, at machine scale, with every user. Then, when prevention is automated, you can apply your limited human resources to analyzing the truly targeted attacks.
Given the history of applying prevention in the real world, visibility and analytics into effectiveness are critical areas of focus. Increasingly, executive leaders, often up to the board of directors, are asking for updates on the security posture of an organization. This includes reporting on weaknesses, trending threats, and where to focus in the future, as well as providing a view into how the organization’s investments in security technology have (or have not) paid off. When considering a next-generation cybersecurity approach, proving how it has prevented threats can go a long way to securing additional funding in the future.”