The NIST Cybersecurity Framework has five categories for enterprise security: Identify, Protect, Detect, Respond, Recover. There is a lot of focus on Detect and Respond as the new shiny. Let’s be honest, every company should be doing their due diligence in all five of these categories. While traditional protection controls are less effective, we still need to be doing what we can to identify and protect (let’s face it, we used to rely on static antivirus and today it is laughable to suggest static AV is anywhere adequate protection for endpoints).
I’ve heard people say that we don’t need defense in depth, we need to detect in depth. I’m not sure what that means. I agree we need to do a better job of detecting faster and responding better, but we only have two options here, DEFENSE and OFFENSE. I really don’t hear enterprise CISOs suggesting we attack back. Not sure the general counsel would agree on that either.
I also don’t care about attribution. Our government should care, and maybe if you are in a sector where there are lots of nation state campaigns. I know first hand that most companies don’t see a ROI in attribution. We don’t care that it is a nation state actor. We care a little about what they are after if it helps refine our threat models, but even then the ROI is poor. The only OFFENSIVE techniques that may be worth investing are disinformation (give them fake accounts or fake M&A documents) and deception (fake accounts, fake servers… next gen honeypot stuff). Hacking back, even if Congress passed a law allowing it, is of little interest to 99% of the companies out there.
That leaves us with defense in depth. We are not actively attacking the adversary. We are providing a series of mitigating controls to reduce our attack surface and hopefully reduce our signal to noise ratio, while raising the economic cost and difficulty (and give them more noise) for the adversary. We focus on risk and we utilize people, processes and tools. Technology is not a silver bullet, however technology can help us be more effective where just throwing more people at the problem is a losing proposition. In some cases, automation and AI (better intelligence closer to the problem/data) really is a force multiplier, but I get off track….
A subset of our DEFENSE is: Identify, Protect, Detect, Respond, Recover.
PROTECT is very important. It should mean that we are taking the P,P,T approach to shore up our defenses. Do the blocking and tackling. (In identify we identify gaps and vulnerabilities…) so we need to patch, set standard baseline configurations, adhere to a risk and security framework, etc. Protect also can include PREVENT. Prevent is never 100%, but you must do it (see: blocking and tackling). You try to prevent the bad stuff. You try to prevent known things, and maybe as AI/ML gets more mature, we’ll even prevent some of the bad actors from succeeding with the known unknown and the unknown unknown. That never reaches 100% efficacy, but in a Bayesian approach, layered security controls have higher efficacy. This is DEFENSE in depth.
The adversary is going after something of value. Either to steal, modify or destroy your data for various ends. Penetration is not the end of the road. They still need to exfiltrate. This is where DETECT and RESPOND comes in (and then RECOVER later, with a root cause analysis and process improvement, etc.)
What we should be emphasizing is not that detect and respond is better than protect. Both protect and detect/respond are trying to reduce loss. Same goals, different play books and tools. With a risk-based strategy and feedback mechanisms to ensure you are optimizing your value to spend, you decide what the mix of protect and detect/respond is for your organization. (It’s always about the context.)
We will never fully prevent all security attacks from succeeding, but we can prevent some, detect and respond better to others, and overall raise the economic cost for our adversaries. Security is not a destination, we will always be on a journey to defend against the next exploit and the next guy with a chip on his shoulder.