Detect and respond
by Phil Lieberman - President of Lieberman Software - Monday, 11 August 2014.
At a recent security and risk management conference I had an opportunity to talk with industry analysts about today's challenges in network security. It seems that many analysts' perspectives are driven by client inquiries that seek simple product recommendations to solve complex challenges. A recurring problem with this sort of inquiry is that oftentimes the right solution requires more than the purchase of a product. Solutions to complex problems often also require organizational changes – yet this critical element is either ignored or impossible to implement based on the level of the individual making the inquiry.

With that in mind, my conversations with some analysts focused on common misconceptions about the value of perimeter security, next generation firewalls, and other cure-alls that are being purchased with the mistaken goal of providing an impenetrable wall around a company’s IT infrastructure. The latest buzzword spouted by many analysts (and commonly misunderstood) is technology that provides “detect and respond” capabilities.

The dirty secret I raised with those analysts is that this latest “silver bullet” technology is no cure-all, and in many cases provides little added value to customers beyond the previous generation of perimeter security. And yet these technologies do seem to provide political cover against almost inevitable data loss, since they're currently the analysts' recommended solution for perimeter protection.

Intrusions and kill chains

For the record, I am not saying that firewalls and other perimeter protection have no value. Perimeter protection is getting better every year, and remains an excellent investment. The problem is that many customers do not fully understand how cyber-attacks work, and so might expect that perimeter protection alone can protect their networks. Why not? They've paid more than enough money, and a salesperson probably told them it was sufficient.

An IT security professional will tell you that almost any competent attacker can walk through the best and latest perimeter protection, infecting an entire network within minutes. Today it's almost certain that infected content will make its way through corporate email servers, or users' machines will get infected via personal web email being opened at work.

In many cases your perimeter protection can detect these infections after a period of time – say, 15 minutes to 2 days. Unfortunately, this detect-and-respond chain also generates a lot of false positives, and requires full time (7/24) trained staff to analyze the alerts and determine the appropriate action. If there are too few competent people monitoring these mechanisms, an intruder’s access will only persist and expand. To understand the scope of this problem, keep in mind today's breach reports often tell us that intruders have had undetected access for more than 200 days.

Defense in depth

Given that intruders can easily get past the perimeter protections, what are the best practices to protect your corporate network?

Let’s start with the assumption that your perimeter defenses will fail some of the time. Next, you have to do a pragmatic analysis of how far an intruder could go after taking control of any one machine in your environment. Here is what you should expect: the compromised machine has a key logger installed that records every user name and password entered on the machine. Assume that any administrator account credentials that ever touch the compromised machine are now available for the attacker to access other systems. And if the compromised machine has user certificates, server certificates, or SSH keys, these are also now owned by the attacker for their use.


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th