If You No Longer Know What You’re Looking for, You Can’t Protect Yourself Against It.
In my previous column I wrote about the concept of Information Superiority. The premise is fairly straightforward: In the battle for network security, whoever can bring superior intelligence to bear on network and device security problems, wins.
From the very start the bad guys have the advantage. An attacker is focused on local knowledge—information about a specific exploit, a default password, a topological flaw, etc. that they can leverage to gain access. This is a very targeted task. In contrast, a defender needs global knowledge— information about modern network environments and the threat landscape, both of which are constantly and rapidly changing. Gaining sufficient understanding to support the continuous process of securing the environment as it evolves is a broad and challenging undertaking.
The traditional methods of network and asset discovery have been ill-suited to meet the defender’s information superiority requirements because the scope of their operation is transient; they produce a picture of a moment in time. The inevitable environmental changes are unknown until the next discovery scan resulting in poorly configured security infrastructure, reduced protection, and an increase of false positives (noise) as well as false negatives (missed attacks).
Newer approaches that offer real-time discovery of everything in the environment, contextual awareness to filter out the noise, and intelligent automation to adjust defenses are becoming the foundation for modern security practices.
With these capabilities traditional intrusion prevention systems, firewalls and anti-virus solutions can become next-generation security solutions with advanced technology that arms the defender with information superiority.
But one frontier still remains. These security tools provide protection “in the moment,” addressing suspicious activity and vulnerabilities apparent at a specific point in time. However, there is no follow-on capability. The security technology only has one chance to do the right thing, after which point it has no ability to do anything about the attack or its after-effects. In the case of modern advanced malware the problem with this approach is evident. First, threats change and morph once they enter an environment. If you no longer know what you’re looking for, you can’t protect yourself against it. Second, once you’re infected, you’re infected.
The challenge is clear. We must evolve protection “in the moment” to protection “any time, all the time.” To do this we need “Continuous Capability.” We must be able to see and track files and events continuously within our IT environments and respond comprehensively and systemically across our infrastructure at any time based on information as it becomes available. This means even being able to provide retroactive protection against threats that have already entered the environment based on the newest intelligence.
Today we are beginning to see continuous capability with solutions, based on a modern architecture, that enable the use of large-scale data mining technologies and cloud platforms to continuously monitor, analyze and store vast amounts of data from a specific deployment and the larger, global community of users. This data enables the defender to protect against not just initial infections but also against every mutation after the threat enters the environment.
But this is just a start. By overcoming the engineering challenges inherent in many of today’s solutions we can attain continuous and comprehensive visibility and control and keep information superiority where it belongs—with the good guys.
By Marc Solomon