Today's CISOs are undoubtedly overwhelmed with trying to make the most informed, efficient, and economical decisions about securing the most valuable assets in the enterprise. In the days of old, those decisions were a little bit easier because investing in prevention provided decent protection.
That's not true today, which is why Ira Winkler president of Secure Mentem and author of Advanced Persistent Security said that trying to protect against every threat is not cost efficient.
Shifting the mentality of those defenders who came to age in the world of preventative protection has been slow going. As a result, some security programs are failing, "Not because the bad guys got in, but because they got out," Winkler said.
In order to build a strong security program, CISOs need to invest in the right balance of prevention, detection, and response, which means that they may want to leave some vulnerabilities that they can manage in order to focus more on detection.
Jeff Williams, CTO and co-founder at Contrast Security, said, "Winkler is trying to make a distinction between protect, detect, and react. And of course, a responsible security strategy has all three."
The question then is one of prioritization. Williams said, "Prioritizing detect and react over protect is offering candy to CISOs overwhelmed with their security challenge."
If one were to use the analogy of home security, not trying to prevent a vulnerability, said Williams, "Is like saying, don’t worry about locking your doors and windows. Just wait for the alarm to go off and the police will protect you."
There's also the potential of attacks that don’t actually trigger alarms. "The police don’t always respond effectively, and the damage may have already been done by the time the cops arrive," Williams said.
Detection and reaction are not silver bullets, in fact, Williams said, "Just watch the movie “Taken” if you think that detect and react are always the best strategy."
But Winkler is not suggesting that people leave the front door unlocked. That's tantamount to taking no security measures at all, which no one would advise.
The reality is that even if everyone locks and bolts the front door, some people like to sleep with their windows open. "Does that mean that we put bars on all the windows?" Winkler said.
There are always going to be vulnerabilities. It's virtually impossible to prevent against every single threat.
Instead, Mike Donaldson, solutions specialist at Bay Dynamics, said, "All vulnerabilities should not be treated equally. An unlocked window is a security vulnerability. But, if that window is on the 50th floor of a high rise, it is unlikely that a burglar would scale the building to break in."
They need to prioritize based on risk. For that same unlocked window, Donaldson said, "If you put the Hope Diamond in that room, the risk is elevated because the diamond’s high value may entice a thief to attempt a threat, albeit a low probability one, but a threat nonetheless."
Security teams need to weigh the risk and probability in order to determine which of their vulnerabilities should be fixed immediately, but organizations need to understand their own risk and build their security programs with a balance of prevention, detection, and response to align with those risk.
"They need to do a risk assessment and find what vulnerabilities exist. Then it becomes a question of mitigating the vulnerability versus the potential damage from a vulnerability," said Winkler.
However, Williams said, "Vulnerabilities and attacks follow the exact same flow, and detecting attacks follows essentially the same logic as detecting the vulnerability itself. Pushing this activity left in the software development lifecycle is the most cost-effective way to deal with security."
When security teams focus on their threat model and they understand their most critical exposures, "They can make sure that they have an appropriate set of strong defenses in place and then monitor them. And yes, make sure you monitor for attacks too, just to be sure,” said Williams.
Because security practitioners are bombarded with thousands of vulnerabilities a day, Donaldson said that when focusing on attacks, "They should focus on the ones that present the most risk to the organization, those that, if exploited would cause the most damage to the company."
They need to take into account the value of the asset that contains the vulnerability and determine if there’s an associated threat that could exploit the vulnerability, and understand the financial impact the organization would face if that vulnerability were exploited, said Donaldson.
At the end of the day, though, the CISO is there to make economic decisions, said Matt Rodgers, head of security strategy at E8 Security, and the new CISO is tasked with understanding how to invest in people, process, and technology.
"Right now we're coming into a time where the CISO has different choices than they did in the past," Rodgers said. "The fastest way to secure the network used to be to invest in protection. To balance that investment is now the critical role of the CISO."
Luckily, as the role of the CISO has changed, there have also been changes in technology to help make that balancing act a little more manageable.
Because people are scarce, and "The skill sets they are looking for are pretty advanced, that scarcity problem puts the CISO in a rough spot," said Rodgers. The shift toward big data technology and AI and machine learning means that the CISO can lean on technology to fix the people problem.
Technology allows the CISO to make the few resources they have better at detection, said Rodgers because "Humans don't need to know what normal looks like anymore. The machine can tell them."
Rather than taking the time to understand what their environment looks like, these new technologies make it so that today's CISO is "Presented with that information. They do not have to spend time to build a case, and they can use intelligence to make decisions like whether or not they respond to events that are going on," Rodgers said.
It's hard to argue with Winkler's assertion that "Protection will eventually fail. It shouldn't fail easily, but you don't get a pass for not protecting when your critical assets are at risk."
The bad guys are going to keep getting in, Winkler said, "The problem for most enterprises is that they seem to be pretty comfortable once they are inside, with statistics showing that lag times are upwards of 100 days."
Detection tools not only minimize lag time but they also inform the proper response. "Every organization should have clearly defined incident response plans. It shouldn't just be that they think this might be the right thing to do at this time," said Winkler.
Tools such as multi-factor authentication, perimeter defense, anti-malware, and security awareness, are what Winkler calls the staples of a good protection program. "They need to have balance in detection. I'd rather have detection and reaction in place than prevention outside of those staples."