When cure is better than prevention
In cyber security the use of preventative controls is the ruling doctrine on how to protect organisations. But as the potential avenues of attack expand prevention is not keeping up.
Good cyber security strategists understand their job is to minimise harm when the assets they protect are actively targeted by a determined and skilled opponent. That is, cyber security occurs in an adversarial context. This critical point is often misunderstood, but organisations need to consider it when deciding how they allocate their efforts between activities that prevent or detect and respond to cyber intrusions.
Preventative controls are good but…
Standards are a tremendously valuable starting point. They are often based on lessons we have learned the hard way and help us to avoid making the same mistakes again. They can also be updated with new thinking to help organisations prepare for and avoid risks introduced by new technology.
As the industry has gained experience the list of preventative controls has grown. For example, when things have gone wrong, a post incident review will ask ‘what would have prevented this?’ with the answer being added to the list.
It’s an approach that makes sense because we all ‘know’ prevention is cheaper and more effective than cure. And while a good post incident review also looks at how the incident came to light and how effective the response was, because we ‘know’ prevention is better that focuses our energy on coming up with ways to avoid the same thing happening again.
There are now lots of preventative controls. This isn’t a bad thing, but the reality for many organisations is they exhaust their resources before they can implement every control on the list.
The fact cyber security managers don’t have enough budget to do everything they would like is not exactly a new insight. However, it does reinforce that we need to be more selective about where we put our resources.
The bad guys like easy wins too
If, for whatever reason, your organisation becomes a target for a cyber adversary they will develop an attack plan which disarms or bypasses as many of your defences as possible. To take this threat seriously is to understand you are dealing with a thinking human being who will seek to target your organisation where it is weakest. As Chinese military strategist and philosopher Sun Tzu put it ‘You may advance and be absolutely irresistible, if you make for the enemy’s weak points’.
Watching some of the best penetration (pen) testers work, they are frighteningly good at rendering most of your security investment irrelevant by carefully choosing their tactics and targeting weak spots.
What’s wrong here?
Often I see customers respond to a pen tester finding weaknesses by asking the question ‘how do we prevent this?’. It’s a fair question but I think it misses a greater point. As I noted in ‘A Slice of Reality’ pen testers are going to pick one angle and attack you through it. But chances are this wasn’t their only point of attack. And when customers are asking themselves how they could have prevented an attack, they should probably ask ‘why didn’t we detect this?’ first.
The idea prevention is better than a cure appears to be the product of three key beliefs:
- Prevention is more effective and economical.
- Preventative controls are based on learned experience making them the best response.
- It is possible to predict the paths an adversary will use to attack and block them off.
I suspect our belief in prevention is founded in its everyday application to environmental risks (e.g. medicine, health and safety), where it is very effective. However, slippery floors don’t willfully try to trip people up.
Points two and three from above both assume we understand the attack surface and can devise preventative controls to close every opportunity. This thinking largely holds true in well controlled environments such as aviation security where change is slow and the problem space well defined. But, even there you can often bypass controls with new tactics as we saw during the attack on the World Trade Centres in New York on 11 September 2001.
The fortress is gone
In the cyber domain the attack surface is already big and our appetite for innovation means it continues to grow. And while getting cyber security built in at the start will head off many problems, we are still left with a blind spot from believing we can predict the paths an adversary will use to attack.
The problem is the cyber security sector can’t even keep up with vulnerabilities discovered in existing technologies, let alone predict the vulnerabilities new technologies and innovation will bring. Our industry is chasing a moving target and I worry it is getting further and further away.
Finally, my experience is preventative controls can be brittle. They are strong if tested in the way the original designer foresaw, but often weak and easy to break if flexed or tested in an unexpected way. And while useful work has been done to reduce blind spots, it seems to result in more complex controls which consume more resources to design, deploy and operate.
If prevention has its limits then what other options do we have?
Usually deterrence plays an important part in regulating and controlling behaviour in adversarial situations. However, deterrence can’t be effective when you don’t know who is responsible, and it takes only modest effort for an adversary to conceal their location from all but the most well resourced ‘targets’.
Deterrence is also not very effective if an attacker suspects their activity will go unnoticed. And sovereign issues and laws restrict the actions governments can take to deter an attacker placing another limit on its effectiveness.
Be flexible and fast
A credible detection and response capability compensates well for many of the shortcomings of preventative controls.
Where preventative controls can be slow to adapt to changing tactics, detection and response controls are flexible and agile. Where preventative controls tend to provide feedback to adversaries about whether or not their attacks are succeeding, detection and response capabilities can operate quietly betraying little about how they work, what they look for, what they know and how they plan to respond.
Detection and response has its shortcomings too. It is labour intensive and can become over utilised very quickly. Once your hunters don’t get time to hunt they are achieving little more than an automated report would. But good use of preventative controls will eliminate most of the internet noise, bringing the volume down to a level where the detection capability genuinely has time to search for interesting and unusual occurrences.
Building a credible detection and response capability is something I’ll discuss in the future but for now here are two hints — it doesn’t involve a wall full of TVs and there is no off the shelf solution. But it isn’t hard if you assemble the right know how.
I’m not suggesting cyber security strategists abandon preventative controls. However, I become more and more convinced we have the emphasis in the wrong place and need to pivot more of our resources to building better detection and response capabilities.
See Clem’s follow-up blog on building a credible detection and response capability.
cyber security adviser at the DTA