Stop Trying to Prevent Break-ins

2011-02-20 14:55:29 by chort

Ready for a shocker? You shouldn't be spending all those resources trying to shore-up your network against attacks. It sounds insane, but this is the conclusion I've reached after spending a week talking to some of the best and brightest minds in Information Security.

Over the last decade we've had no shortage of magic solutions, in the form of black boxes you can "simply drop-in to your network" and they'll "automatically protect you" with "almost-zero" administration. Yet today, are networks any harder to break into? We see in the news every day that another site was broken-in to via a SQL injection, exploited misconfiguration, or weak password. Education and prevention have not worked to eradicate compromises.

Maybe you think that only happens to the smaller orgs, or those not aware of security "best practices", but then we see that Google and a few score major enterprises were penetrated by the Aurora project and the attackers were apparently in for weeks to months before they were noticed. We've also seen recently that HBGary Federal (a security firm with deep experience in exploits and rootkits) was penetrated so thoroughly that their continuing existence is in question.

The challenge in playing defense is that you have to stop every single assault, and anticipate each far-fetched scenario that might result in your downfall. The blacklist approach must be an exhaustive list of attacks, which we know is impossible. On the other hand, whitelist approaches don't work either, because even a few false-positives make a huge impact on productivity. The difference between "good" and "bad" behavior often comes down to intent, which computers are nowhere near being able to model accurately.

So is everything hopeless then? Should we just give up trying to protect assets and just take out enormous insurance policies? Actually, I'd argue that is part of the answer, but there's actually a better approach.

The one aspect we haven't looked at yet is dealing with the effects of a successful attack. In fact, let's back up and rephrase that as "dealing with the effects of a successful exploit", since merely breaking-in to your network doesn't mean the attacker has achieved their goal.

So what is the goal of most attackers? In the case of most APT today, the goal is stealing intellectual property and possibly modifying aspects of the supply chain to weaken them or grant broader access in the future. For criminals, it's usually making fraudulent transactions or stealing lucrative customer details en-mass. With hactivists, they want internal communications or records that will cause embarrassment to your organization. It's very difficult to quickly achieve any of those goals.

The criminal and hactivist objectives are probably the quickest to accomplish, which might involve exfiltrating a large database, mailspool, or file respository, but that will likely take at least several hours. For cyber-espionage, the benefit to the attacker goes up with each week they stay in your system; it's not the getting in, it's the staying in that matters.

Hopefully you can see where I'm going with this: If you can't prevent penetration, but the opponent needs time to be successful, how quickly can you a) notice they're in and b) take corrective action? I propose this is where you should be focusing the bulk of your efforts.

Imagine if Google had noticed intruders in their network before their lawful intercept system was accessed to spy on Chinese dissidents. Imagine if HBGary Federal had severed their Internet connection before their passwords and code repositories had been exfiltrated. How much would that have been worth?

I believe that the most valuable things you can do to secure your organization are: Have strong identity management, instrument your applications and systems, consolidate and correlate your events, effectively summarize all of the above, and have highly skilled & trained personnel to manage it all.

You might say "gee, isn't this what SIEM vendors claim to provide?" Yes, but no technology is magic and no box you put on your network is actually going to require "near-zero" administration. The key to really managing security is to have skilled personnel investing quality time in tuning systems and observing results.

The area where personnel can bridge the gap left by technology is in customization. It's impossible for vendors to know what "normal" and "appropriate" looks like in your environment, but your staff hold that knowledge. There is no substitute for having deep understanding of work-flows and internal application architecture. You know (or need to figure out ASAP) what data is critical to your organization. You know where it's supposed to go and who is supposed to have access. Explicitly mapping that out and looking for deviations is an opportunity for humans to excel.

Take a couple of examples: Suppose you know how many code check-ins each user typically makes on a daily basis--imagine how useful it would be to notice that one user has been 15% over average for the last week, and on drilling-in to the details you see the check-ins are in areas of the code they don't normally touch. Suppose you know how many ssh logins a particular user has by hour of the day, and suddenly their pattern shifts to logging in at hours they're normally dormant. Suppose your outgoing HTTP bandwidth suddenly spikes at 300% of normal and has stayed there for the last 5 minutes, what steps could a human take to make sure that's appropriate?

These are all things that technology can enable, but humans need to make intelligent decisions about thresholds and--more importantly--how to respond. No product that I've seen can do these out of the box, but they're the types of questions and observations I've heard smart people make fairly often.

The main problem with InfoSec, in my opinion, is that we have so many new things being installed constantly that we don't have enough time to learn how they work and how to make the best use of them. If we bought fewer magic boxes, and spent more money on hiring, training, and retaining really skilled talent, we could get much more value out of all that technology.

We as an industry need to get real and stop pretending that attacks can be prevented--they can't. What matters is how we react after an attack, and that mostly comes down to humans making intelligent decisions. Technology can enable better decisions, by doing a better job of processing the information that is available, but it can never remove the human element.

So before you buy that next magic appliance to "solve all of our ____ problems", ask yourself "if I spent this much money on human assets, how much more effective would I be at response?" I'm betting the former won't look like such a good deal.

PS I'd be remiss if I didn't thank @georgevhulme for his editorial help with this article.

Add a comment:




max length 1000 chars