By: Mark Arapovic, SE Manager
Security ‘guys’ are an eclectic mix of personalities. The people working in this industry of ours are as varied as they come, but I have to say, one topic which continues to dominate a lot of pre and post meeting small talk over the past few weeks has been the FIFA World cup. Surprisingly, for a group of people that are stereotypically supposed to be ‘nerds’, there are more of you in vendor/channel/customer land I know that have been waking up at 4am, or pulling allnighters to watch the matches than I expected.
I for one, am one of them. (though the Australian time zone can put a football fan’s dedication to test)
Another hot topic over the past few months/years (within meetings this time) is the discussion around Detection vs Prevention in terms of a security strategy. It’s never been a tougher time being a customer wading through all of the security solutions currently on the market. It’s safe to say that the explosion of Malware since 2008 has been matched by the explosion of startups and cybersecurity vendors claiming to have a silver bullet for the troubling times we find ourselves in.
Well, Bitcoin of course. It has given the ‘bad guys’ a way to monetize their handywork and has been a quite lucrative way for them to get away with a clean pair of heels. Combine this anonymous monetization of threats with the treasure trove of tools leaked from the NSA (which have given us such hits as WannaCry) and you have an environment of fear and uncertainty ripe for the picking from a vendor perspective. This ‘feeding frenzy’ of opportunity for security vendors has really thrown a lot of traditional assumptions and foundational principles of Cybersecurity out the window, and as the months roll on, and another breach is disclosed, another attack discussed, the water is becoming muddier and muddier as vendors reach beyond their core discipline to get a larger chunk of the pie.
I don’t want to use the word ‘cowboys’ but some of the conversations I have had with customers relaying the claims of some vendor solutions is just down right iresponsible. Come to think of it, some of the most entertaining exchanges I have read online recently have been grandiose vendor postings on LinkedIn that quickly get shot down by independant researchers or security professionals. Maybe its desperation, maybe those of us in vendor land are just not as knowledgable as we used to be, or maybe it’s just hard to find good security people that wont struggle to keep up with new concepts and new technologies. But whatever it is, I get the feeling that the channel, in particular a strong security focussed partner is more important than ever, especially when it comes to making big decisions in terms of security strategy.
The tidal wave of threats that have been unleashed in recent times really broke the banks for a lot of tradtional vendors. The philosophy (from a prevention perspective) of layering signature based engines with a multitude of other complimentary technologies has been barely viable whilst burdening our endpoints with so many running services and processes, our end users have been screaming for it to stop. This approach of adding another driver or agent to provide a small uplift in detection or to stop a specific type of threat is akin to buying as many lottery tickets as possible to get better chance of winning a clean environment. (and dont get me started on prevention capabilties that rely on a cloud connection) Sustainable? not at all. Effective? Not really. When I see videos posted online showing Malware running but then get caught after the fact, or rolled back, I feel like I am the only one in the room questioning how that is even acceptable, and why any vendor would advertise they missed in the first place. Not impressed.
Maybe I am from the old school where prevention was what we were measured on, where incident response implied that something got through, there has been a failure, an error, an apology letter and explination needed after we hopefuly cleanup the mess the miss has caused. But not these days. A piece of Malware that runs past the pre-execution layer of any product doesnt raise any eyebrows, and seems to be almost acceptable because we have apparantly hit the ceiling of pre-execution and prevention capability. For a few years now its almost as if the industry has thrown its hands in the air and said, we cant do much better than what we are doing with prevention, so lets just let it run and figure out what it is doing after the fact…
At the point when everyone realised the shortcomings of available prevention technologies, and this imaginary ceiling was hit, EDR solutions all of a sudden were not just tools designed to pick up a live attacker moving throughout the environment (or should I say, that theoretical 1% that AV products missed), but had now crossed over into the world of making up for the shortcomings of traditional prevention based solutions. Endpoint Security vendors all of a sudden expanded their forensic and detection/response capability and traditional EDR vendors started building in preventative layers and marketed themselves as an AV replacement technology. This is essentially where we are today and why there is so much uncertainty.
Speaking with customers, I have heard many times the desicion boiling down to if they wanted an EDR solution with some Threat Prevention, or a Threat Prevention solution with a sprinkle of EDR. Too many vendors trying to be too many things? Or is having a single budget for securing your Endpoints and being forced to pick the problem?
I can imagine how difficult it must be for a CIO forumlating a security strategy, when the ‘experts’ can barely decide where all of these varying solutions sit in a report or quadrant. This is why it is in this day and age customers should really go back to basics, and why I love the analogy of picking your all star Football team.
Having worked in the industry for over a decade, its natural that some very close friends of mine work for a whole range of vendors, including competitors. So besides the FIFA World Cup discussions recently, we have had just as equally heated debates about Security and the current landscape. It is natural if you work for a vendor that has a particular philosophy or approach, that you too evangelize this approach, which is why it is so important to keep vendors honest by building a relationship with a security focused solutions provider or MSP (who is hopefully one or two steps removed from all of the vendors out there), or go and do the hard hards yourself with putting vendor claims the test.
During one of my recent ‘catch ups’ with some former collelagues we had some interesting discussions around EDR and Next-Gen AV. After the chest thumping had died down, and when using the analogy of approaching your Security strategy the same way you would a Fantasy Football team, there were some really interesting admissions.
A peer working for an ‘EDR’ vendor said:
“Using your analogy, I would say that expecting an EDR solution to be highly effective at actual threat prevention, is like putting Lionel Messi as Goalkeeper in the fantasy World Cup team. The EDR premise after all is that the prevention layer will let through more than it will stop, which makes the EDR solution more relevant. ”
Another, who is a self described EDR-phobe said:
“Of course EDR should be part of your security philosophy, but before heading down that path you have to understand its not exactly a ‘set and forget’ type of solution. You need to dedicate multiple head count to the management of the solution, wether that be internal or outsourced to a partner, I would imagine the more you invest, the more useful the solution becomes’
The assumption that a prevention layer will miss, in my humble opinion, is overstated somewhat depending who you talk to. Not only are we now at a stage where innovation on the prevention side of the fence has exploded once again, but those of us that were starting to lean toward the Detection and Response approach are now having second thoughts with these new developments, specifically around Deep Learning.
Yes, yes, I know, the first rule in security is that nothing is 100%, but having an overly pessimistic view on prevention tech and dismissing the advances made on this side of the fence in recent years is bordering on ignorance. At the same time, no prevention based solution is bullet proof, which is why you need to build on this the deeper you move toward your own security utopia.
So, who is on your team?
So, the question you should ask yourself is, who is in your Security Fantasy Team? Who provides the best prevention, the best visibility, the best control, the least performance hit, the most operational advantage, and should each of these things really be from a single vendor? I think the Football analogy is very relevant in this regard, because in the past we have seen certain Footbal philosophies come, dominate, then fade away.. much like in our Cybersecurity world. So my view is that a mix and the best of each philosophy is probably the safest way to go.
Catenaccio = Application Whitelisting
Emphasis on Defense, made famous by the Italian teams of the 70’s ad 80’s that was super-effective but counter productive to the spirit of the beautiful game, angered a lot of fans but appreciated much more when scaled back.
Gegen-Press/Rock’n’Roll Football = Next-Gen AV / AI based prevention
Defending from the front, having your strikers act as your first line of defense, new, fresh, exciting and in the modern generation pioneered by Jurgen Klopp with his Boroussia Dortmund and Liverpool teams. Pretenders are easily caught out if you do not have the correct framework or approach to this, a lot of teams claim to use this philosophy but on game day its evident a lot cannot pull it off.
Total Football = Security as a System (i.e. Endpoints talking to Firewalls either directly or via SIEM/Orchestration utilities)
The famous dutch team of the 70s, one of the greatest teams never to win a world cup spear headed by the late, great Johan Cruyff, this system is still the foundation of the Ajax (Amsterdam) youth academy today where every player at some stage, plays in every position in order to get an understanding of every position.
Tiki-Taka – Endpoint Detection and Response
Made famous by Barcelona and the Spanish team in recent history, typically no striker, but relying on short, sharp passes, complex triangles and posession of the ball. Exploded onto the scene, won Spain a world cup, but as you may have seen, the Spanish were just knocked out of the recent tournament in Russia… how times change.
The Long Ball game = Old School AV and/or Firewall
Typically a Sunday League tactic, still employed by a lot of English and Scottish teams, where you simply launch the ball up front and hope one of your players gets on the end of it. Not really effective when up against high quality opposition, but some times the best you can do with budget restricitons limiting the recruitment of good players.
So, if I were to build my Fantasy Football team, I would use a mixture of all the above systems and tactics depending on my opponent… each has their strong point, but each has weaknesses too.
* Disclaimer *
I work for Deep Instinct here in Australia. The first company to apply Deep Learning to Cyber Security. I have my biases, yes, but after working in Cyber Security for 12 years for multiple vendors, my personal belief is that prevention is better than finding a cure.
I joined Deep Instinct because I was blown away by what a custom Deep Learning framework can do to revolutionize and reinvent the way we look at prevention and our recent discovery of MyloBot validates what our approach is capable of. – Mark Arapovic, Sales Engineer Manager