There is an adage in sports that defense win championships. The premise behind the axiom goes something like this: Having a strong defense will keep your team in the game even on days when the offense is underperforming.
In addition, stout defense allows the offense to take greater risks when it has the ball and can set them up with more frequent scoring opportunities.
While the media loves spouting the cliché, especially around playoff time, statisticians don't exactly buy into this long-held sports truism. Their argument, after crunching the numbers, is that offense and defense indeed bear equal responsibility for winning championships, as well as individual games.
Back in the 24/7/365 stadium of information security, where the factors at play are far more complex, mysterious and volatile than sports contests that have a clear-cut beginning and end, most agree that defensive and offensive approaches are necessary to impede today's sophisticated cyber foe. How much credence you lend to each is dependent on, among other things, the resources you have your disposal and a thorough understanding of your security risk strategy.
At the end of the day, though, traditional defense still reigns king across organizations. This is generally a problem for two reasons:
- A mature security posture requires considerable focus on detection and response: Disproportionately concentrating your efforts around keeping attackers out and satisfying compliance requirements results in nothing more than an exercise in reshuffling the deck chairs on the Titanic. Sooner or later you are going down. The question is when.
- You end up investing too heavily in point solutions - and some never even get utilized: There are few things the booming security industry does better than create point solutions for the latest threat. This often sounds great on paper, but if you take the bait every time, you end up having so many appliances, with not enough skilled personnel to properly deploy and manage them, that you actually end up undermining your security amid a sea of complexity.
As Trustwave SVP of Managed Security Services Chris Schueler explains in a recent op-ed for Infosec Island: "These mismanaged and disjointed solutions ultimately end up generating more risk through visibility gaps, while organizations become complacent…The result of such practices means businesses often ignore parts of attack cycles and end up missing threats altogether. Action is then slowed by a mitigation and remediation process that wastes time on looking for the threat, isolating it and understanding it in order to respond. By then, it's too late."
"It's too late." Those are three words you never want to hear when it comes to a security incident: that you have no actions left to take except begin the dreaded, ignominious walk to your board and customers to apologize - even as your fate may have already been decided.
Bear in mind, defense is still plenty necessary to confront low-hanging fruit and to avoid opening a permanent door into your organization. But knowing what we now know about the proclivity of attackers to sneak through defenses - by orchestrating clever social engineering ruses or using your own legitimate network resources against you - you must get more aggressive and grow your playbook.
The goal may not be to stop every attack, but to discover, contain and eradicate them before they can cause irreparable harm to your business operations.
It is time to put on your coach's hat and revise your playbook. What should it include? According to the SANS Institute, the five elements are:
Foundation is important. Your corporate security framework should include policy, network architecture, and systems design and maintenance. The goal here is to harden your databases, networks and applications to minimize the attack surface. This also involves having a plan in place to address vulnerabilities, for which you should test - not guess.
2) Passive Defense
The components here are layered to your security design to provide defense or insight without consistent human interaction. They may include basic endpoint security such as anti-virus and anti-malware, firewalls - of the network and web application variety - and intrusion prevention and detection.
3) Active Defense
The final word of the previous section - "detection" - begins to play a bigger role here. Active defense includes activities related to the monitoring of threats, responding to them and providing what you learn to your internal environment. Here is where you use solutions like SIEMs, penetration testing and incident readiness and response - all supported by a round-the-clock security operations center using a combination of threat intelligence, big data analytics and advanced security automation tools.
You should assume compromise, so this is where your biggest moves are made. In what is known as threat hunting, trained and experienced analysis manually - while using automation for repeatable tasks - comb through intelligence to filter out the noise and identify real anomalies, unauthorized access and malicious activity. They collect data, compare competing intelligence and produce actionable insight.
While you can run into any number of issues if you decide to retaliate against your adversaries - from misattribution to collateral damage to illegality - there are "offensive" stances you can take that limit the risk of unintended consequences. Legal countermeasures and appropriate self-defense includes contacting and cooperating with law enforcement to help dismantle command-and-control infrastructure.
The aforementioned skills shortage will put a big damper on accomplishing this blueprint, as deeply proficient humans are necessary for advanced security operations and analytics such as threat hunting. But managed security services providers that offer the requisite expertise and resources can help offset your chasms and enable you to run all your plays.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.