As we emerge from what might well be peak RSA, I’m somewhat mollified that the messaging around “Big Data!” and “Intel!” has tapered back a bit and that the focus on detection & response prevails. And yet, in that same month, I read a disturbing article focused entirely on the need to abandon this rubbish around “breach discovery and incident response” and instead focus on “anticipation and prevention.”
Terrifying.
It’s a call to arms for companies to return to the thinking of the 2000’s. It’s the military equivalent of abandoning counter intelligence as a discipline and investing purely in phalanxes of pikemen. It’s dangerous. Not because all forms of prevention are impossible, but instead that the word evokes a set of assumptions about what “success” is in the context of threats. Like the beautiful Siren of Greek mythos, it promises utopia, but in the end we find ourselves dashed against the rocks and shattered into pieces.
Security Breaches Are Inevitable
This was Mandiant’s stance in 2010. It wasn’t a message that people were excited about. There were no breach raves thrown. It was a somber message that we look back on as nothing less than prophetic given the last several years of headlines. At the time, most executives were looking for mousetraps that promised prevention. Well aligned with customer demand, most of the enterprise security products on the market advertised that exact silver bullet.
To argue today that prevention is the answer is to claim: security breaches are no longer inevitable. We now have the tools and capability to ensure only people who we need to have access to our data have it. Everyone else is prevented from accessing it. Across all industries.
I don’t buy that.
Perhaps one day we’ll live in that world… but even on that point I’m skeptical.
Prevention is a Loaded Word
I argue instead that the very word prevention is a dangerous one. When we think about protecting personal data, corporate assets, critical infrastructure, and financial transactions, the very notion that “prevention is possible” makes anything short of that merely an attempt at success. Said more harshly, failure. That seems like pushing happiness past the cognitive horizon to me. Why would we do that to ourselves?
This has a lot more to do with what people think when they hear the word prevention than whether or not prevention is actually possible. Most organizational leaders today convert the word “prevent” in the context of cyber security to “keeping the bad guys out of my network.” Worst case, some might say their goal is to “prevent these attacks.” And to solve this problem we must have the best prevention mousetrap out there.
There are no Prevention Technologies
You can’t prevent an attack. That is, unless you happen to know who is about to conduct it and “take ’em out” right before they hit [Enter]. In many (but not all) cases, you can prevent attackers from getting into your network. Even if you fail to keep them out, you can prevent them from succeeding in their mission: disrupting your network, stealing your data, or committing fraud.
The thing is, once an attacker has made it past your technologies, people may still be in a position to use technologies to determine what’s happening and prevent it from going any further. We call this incident detection & response.
What you have in this successful scenario are: (1) controls that are designed to minimize the scope of your attack surface, (2) technologies that act as a deterrent for attackers, (3) technologies that provide detection capabilities to security personnel, and (4) security talent managing the incident response lifecycle from detection through remediation.
It’s Not Hopeless
Until organizational leaders across industries understand the nuances around what is and is not preventable within the scope of an incident response lifecycle, the word prevent remains dangerous. It creates misaligned expectations between business and security leaders. It encourages a false sense of security with technology pure plays. It creates the wrong conversation during an incident and distracts teams from responding.
And yet, as a security community we’re more effective than we ever have been at protecting our businesses from the riff raff and even in some cases, kicking the bad guys out of our networks before they have a chance to do real harm. But we still have a long way to go.
In the meantime, just say no to prevention.
If you found this worth your time, consider following @reefhack on Twitter, RT, and recommend this article by clicking the heart below.
