In a recent article, I co-wrote that there would be follow up with articles about the foundations of security. While many professionals have their own philosophies, fundamentals and best practices that sometimes might be conflicting, there are commonalities. In the first article in this series, we want to cover the security triad of protection, detection, and reaction.
Most people learned the triad of confidentiality, integrity, and availability—or CIA. In general, CIA is useful in that it provides a general framework for the functionality required of a security program. In other words, what are the end goals? While these goals clearly have a valuable purpose, they do not however provide a framework for achieving those goals.
As discussed in my new book, Advanced Persistent Security, comprehensive security programs implement a coordinated protection, detection, and reaction effort. This paradigm comes from our days working on studies for the Office of the Secretary of Defense on information warfare. Today information warfare is referred to as computer network operations (CNO), which is comprised of computer network attack (CNA), computer network exploitation (CNE), and computer network defense (CND).
CNE is essentially cyber-espionage. The simplified way of saying it is that CNE involves stealing information, or compromising confidentiality. Besides of the compromise of the information, there is not otherwise direct harm to the operations of the organization. CNA involves manipulating data, computers, and networks to cause harm to your adversary. For example, it could involve taking down a network. It could also involve changing data, such as missile targeting, so that enemy missiles would attack their own territory. CNA targets a compromise of integrity and/or availability.
CND intends to thwart an adversary’s attempts of CNA and/or CNE against your own organization. To accomplish this intent, there is the triad of protection, detection, and reaction. A good program must implement a robust effort for each component of the triad.
When you consider this thought, you can then understand that most security programs fail, because they are fundamentally protection programs, and not security programs. They attempt to implement robust protection, however detection, and therefore reaction, are just afterthoughts. Most security programs patch on detection, as many IT programs patch on security after the fact.
To implement a comprehensive security program, you must assume that your protection mechanisms will eventually fail. A bad guy will break into your network. An employee will lose a USB drive. Users will obtain access to data they should not access. A virus will get on your network. While this is not desirable, it is however expected. In one form or another, protection will fail, and that is ok.
What is not ok, however, is for the failure of protection to go unnoticed. There are many recent notable attacks that went undetected until significant damage was done. The OPM hackers apparently went more than a year without being detected. North Korea was able to download mass volumes of sensitive files, movies, etc., while planting malware throughout the network and went undetected until they made it obvious. The Target hacker clearly performed reconnaissance throughout the network, plant spyware on point of sale systems, exfiltrate large volumes of data, and went undetected. Target only acted on the attack after Brian Krebs was tipped off by a bank employee that Target was the apparent source of a major credit card breach.
The average “dwell time” of an attacker on a network, before they are detected, is 200 days. For there to be an acceptable security program, there must be a detection program in place that is as robust—if not more robust—than the protection program.
Clearly, once an incident is detected, there must be an appropriate reaction. Ideally that reaction not only inhibits the attacker, but also improves the overall security posture. A coordinated detection and reaction program will feedback into the protection program to make it stronger.
The key issue to consider is that while you want to keep your adversaries out, your security program doesn’t fail until the adversary accomplishes their goals. If you can detect and react to them, before they accomplish those goals, your security program succeeds, while the adversary fails.
This does not however mean that there is no damage when protection alone fails. Clearly, there is a cost to reacting appropriately. You will spend time to investigate what has happened and how they got in. You will have to assume that they might have planted malware or manipulated the systems, and you have to reinstall and configure the appropriate systems. This is still better than the costs that would be incurred if the attacker were able to damage systems, steal information, or do whatever else they desire. The cost savings are likely to be exponentially greater when you can stop the adversaries from achieving their goals.
For example, if the Target hacker had been stopped before they were able to download 110,000,000 credit card numbers and other sensitive data, there would still be the cost of ensuring the integrity of the systems, but there would not be more than $150,000,000 in brand damage, legal settlements, etc.
Protection, detection, and reaction should all be treated as equal aspects of a security program. Again, it is inevitable that protection will fail, and if you don’t adequately prepare for that, you might be the next headline.