As originally published in Forbes Technology Council
If you’re a CEO, there is a good chance your IT security experts are telling you to assume you’re going to get breached. Not only that, but they’ll probably also tell you to “grin and bear it” because, quite honestly, there isn’t much you can do to stop advanced threats from penetrating your organization.
Far from being the bearers of good news, these security experts will advise you to focus your attention and budget on a reactive approach of detection, containment, and restoration. In other words, you’re doomed. In the absence of being able to stop attacks, you can bury yourself under heaps of data analyzing them.
Why would these highly sought-after and well-paid experts tell you that damage is unavoidable and to focus on detection and response? The answer you will receive will be based on their hard-worn experience: Effective prevention is just too difficult to achieve.
Research sponsored by our company and conducted by the Ponemon Institute found that while most security experts could logically accept that a focus on prevention would strengthen their organizations’ security posture, up to 80% of respondents felt that prevention of cyberattacks was the most difficult to achieve, compared to other stages of the cybersecurity life cycle.
Respondents listed a number of barriers to effectively prevent cyberattacks:
• Sixty-three percent said it took too long to identify a cyberattack, where the majority of attacks are detected only after execution, making prevention irrelevant.
• Fifty-nine percent said technologies were outdated or unable to achieve the high detection rates that needed.
• Fifty-five percent said they didn’t think their company held the in-house expertise to effectively manage a technically robust prevention solution.
• Forty-nine percent said false-positive rates were too high, making them untenable.
For James Lewis, a cybersecurity expert at the Washington, D.C.-based Center for Strategic and International Studies, hacks that are launched by nation-states are just too well resourced and organized, making them impossible to routinely prevent: “Government-backed hackers simply won’t give up — they will keep trying until they succeed.”
Prevention is not a new concept for security practitioners and decision-makers. The earliest cybersecurity antivirus solutions of the 1980s and ’90s were effectively prevention-oriented solutions. With their volumes of signatures and heuristics, organizational SOC teams would try to squeeze as much capability as they could from their AV by creating a complex matrix of rules to prevent threats from entering. Yet this held minimal resistance to novel threats that could not be anticipated and thereby protected against.
To close in on this failing gap of preventing new, unknown threats, next-gen tools that promoted the use of machine learning became prevalent in the security market. In this new approach to prevention, machine learning is used to identify threats, and many organizations took advantage of this to replace their legacy products.
Yet with time, new challenges emerged, even for these shiny new products. First, the machine learning methods used to identify threats rely on “feature engineering,” where a human expert selects the features (or characteristics) that the model is going to analyze in order to identify whether a file is malicious. Because the features that are analyzed are fairly clear, it didn’t take long for attackers to identify the features not analyzed and therein embed their malicious algorithms. Secondly, the data that supports machine learning algorithms degrade over time as threats morph and advance.
Users experiencing these challenges began shifting away from a prevention focus and moved toward detection-and-response solutions. The prevailing market sentiment was to assume a breach. It wasn’t about “if you will get breached” but “how you will get breached.” Vendors noticing this market shift adjusted their next-gen products to deliver endpoint-detection-and-response capabilities intended to fill the emerging gaps in their prevention solutions. These EDR tools focus on greater visibility into the back end and enable greater accountability with more comprehensive analysis and reporting capabilities.
Yet with neither legacy nor next-gen tools effectively providing a robust level of prevention against new threats, it could be argued whether these developments have put organizations in better shape than what they were in before. CISOs and CIOs keep renewing their contracts with expensive security products, even though they continue to get breached. In the Ponemon study cited earlier, 50% of the over 600 respondents felt their organization made investments that did not improve the overall security posture.
Deep learning has enabled the third wave of cybersecurity, finally delivering on the promises made by the next-gen security vendors. The advantage of deep learning over machine learning lies largely in its autonomous end-to-end design, where the human element of feature engineering, which is central to machine learning, is eradicated. Instead, the model is trained by analyzing 100% of the raw data that is available in a file. This more thorough training methodology means that its prediction accuracy is superior.
When confronted with a new threat campaign, the prediction accuracy of this deep learning solution correctly classifies the threat and prevents it.
For IT professionals looking to bolster the security of their environments, they need to refocus on prevention. However, this time their prevention layer should be enabled by deep learning so it is sufficiently resilient to weather storms of perpetually more sophisticated malware.
Secondly, they need to be aware that there is no panacea solution; the more sophisticated malware will continue to get through. The key factor here is to make sure these porous attacks are kept to a manageable minimum so that SIEM controls are not overwhelmed but are just responding to the most pervasive, complex attacks.
It’s critical that IT security staff know that resilient prevention is achievable. False positives can be reduced, and costs of securing a business can be brought down. Getting to a continuously trusted state is feasible.
And business leaders should know that they should be insisting on it.