In an earlier blog this year, I compared the concepts of cybersecurity and cyber-resiliency, arguing that the main difference between the two is one of perspective. Cybersecurity is centered on the idea that attacks can (and should) be prevented while cyber-resilience acknowledges that some attacks will go through, and that organizations must prepare to deal with the consequences quickly and effectively.
Many examples in recent years demonstrate 100% of increasingly sophisticated attacks cannot be prevented. This reality has generated a strong emphasis on detection and response tools in our industry, to the detriment of advanced prevention capabilities. But should we give up on prevention so quickly? Definitely, no.
To make sure we are all on the same page, Prevention refers to a broad range of approaches, technologies, and tools with the main purposes of a) reducing the options an attacker has and b) detecting malicious actions before inflicting damage to an organization. A few examples of prevention layers are: firewalls, file/disk encryption, patch management, anti-malware, exploit defense or sandboxing. These technologies can be implemented at various levels in the infrastructure. At the network level, the best-known prevention tools are Next-generation Firewalls and Intrusion Prevention Systems (IPS). At the endpoint level, the best known are Next-generation AV or Endpoint Protection Platforms (EPP).
In this blog I will review the key role of prevention elements for both the efficiency and effectiveness within the overall security architecture. I don’t want to minimize the value of other security capabilities, like incident response tools and processes, but I do want to emphasize that prevention is a key pillar of cyber-resilience and should not be overlooked even if we assume “not if but when you will be breached”.
I often say this, but it bears repeating: To understand the value of Prevention, first turn it off. The best way to explain the contribution of Prevention technologies to cyber defense is by contrasting it to a Detection and Response (D&R) only approach. For D&R to be effective, besides technology, an organization needs trained security operations staff and well-defined processes in place. There are plenty of examples where an Endpoint Detection and Response (EDR) solution detected suspicious activity and generated alerts, but there was not (enough) trained staff to analyze the incident in due time. That allowed adversaries to operate undisturbed for extended periods of time. If any of the elements of the triad (technology, people and processes) is not performing, the effectiveness of the D&R is affected.
By contrast to D&R, Prevention is automated. Statistically, effective prevention layers are capable of stopping over 99% of all threats (common and advanced) in a fully automated way. Prevention relies on technology alone, and with few exceptions, is a “set-and-forget” element. For example, an EPP solution requires only typical IT admins skills to install and very little assistance while in operation. Because of its automated nature, Prevent is a key contributor to cyber defense efficiency. Imagine a scenario where all security threats, either simple or complex, require the attention of a dedicated security team. This is the worst nightmare of any IT leader who doesn’t have such a dedicated team and can be overwhelming even for experienced security analysts. An accurate and effective Prevention solution will enable security teams to focus only on sophisticated threats and cyber-attacks that truly require skilled human attention.
While efficiency is important, the effectiveness of any security solution is paramount. Long gone are the days when Prevention-based solutions relied only on signatures of known attack to detect threats, method that leaves them vulnerable to unknown attacks or zero-day threats. Today’s Prevention employs an extensive set of advanced technologies highly effective in detecting the entire range of cyber threats including attacks never seen before. Some of these technologies are shared with D&R, with the key difference between the two categories being the threshold for detection confidence. When dealing with ambiguous situations, the security solutions are calculating a “behavior” score that represents the detection confidence. When the detection confidence level is below a predefined threshold, suspicious actions will require an analyst to investigate but, when confidence is above the threshold, the solution is certain enough that the activity is malicious and can be blocked automatically.
The automated nature of Prevention is not only important to increase efficiency, but also for the effectiveness of the overall security architecture. There are classes of attacks where immediate response is critical for limiting the impact. The best example is ransomware. When dealing with a ransomware attack seconds truly matter. It is of little value in getting an alert about an ongoing ransomware attack if it takes many minutes, hours, or even days until someone can investigate the threat. The risk of great harm being done in such cases is significant. Instead, Prevention layers will detect and respond in a matter of seconds or less, minimizing the effects of a fast-evolving attack.
Given the arguments above, it should be obvious that the accuracy and effectiveness of Prevention layers are of high importance, both for the efficiency and the effectiveness of the entire security architecture. During a keynote at RSA 2021, Anne Neuberger, Deputy Assistant to the President of United States and Deputy National Security Advisor for Cyber and Emerging Technology, commented on the importance of Prevention: “While we must acknowledge that breaches will happen and prepare for them, we simply cannot let waiting for the next shoe to drop to be the status quo under which we operate.”
It is hard (or rather impossible) to build a security architecture that enhances the resilience of the organization without strong prevention. This is also reflected in key industry standards like the NIST Cybersecurity Framework, where D&R is preceded by Identification of risks and Protection phases. Does Prevent eliminate the need for equally strong Detection and Response? Obviously not! Either managed in-house or as a service from a Managed Detection and Response provider, D&R is crucial for fighting off sophisticated adversaries that an automatic system cannot block effectively. In the next blog I will cover some key considerations on the role of Detection and Response for enhancing Cyber-Resilience.