Executive Summary
On the occasion of the 12th U.S. National Cyber Security Awareness Month, threat prevention comes to the forefront as something that the community has rediscovered as a security innovation. We used to do this as a matter of course, but sort of lost our way for a while. Today, smart network defenders have learned that threat prevention is inextricably linked to detection and mitigation. You should not have one without the other two.
Introduction
Twelve years ago, the Department of Homeland Security designated October as National Cyber Security Awareness Month for the United States. [1] When I noticed that this year’s installment was approaching, I began to wonder if there were any new developments in the cybersecurity community of which most people were not aware. Part of my job is to travel around the world talking to smart people about how they do security, and it has been an education these past two years. Every network defender whom I talk to does it differently, and they all have good reasons why they are different. But the one thing that is clear to me is that most do not realize that there is a quiet revolution going on right under their noses. The cybersecurity community is rediscovering the idea that threat prevention is an atomic piece of the overall defensive strategy for any organization.
A Little History
When I started in the industry some 25 years ago, all we had in our toolbox was threat prevention controls: stateful inspection firewalls, intrusion detection systems and antivirus engines to name a few. Sometime in the mid-2000s, innovative companies started selling some very good niche products that could detect adversaries once they had breached the typical threat prevention defenses that we all had deployed in our networks. Some of these new tools were very good and we started finding all kinds of bad guys in our systems.
In 2010, state-sponsored cyber espionage adversaries attacked Google, and for the first time in history, a commercial company went public with the information. [2] Before the Google attacks, referred to as Operation Aurora in the press, no commercial company would dare go public with the fact that a cyber adversary had been successful in breaching their network. Common wisdom in the industry at the time was that such an admission would wreck the bottom line of the company by hurting the brand name. But with Google’s public admission and a plethora of state-passed, public breach notification laws on the books that came later [3], it seems that you can’t get through a week of cybersecurity news today without one or two companies announcing they have been breached.
Somewhere between the Google attacks and today, the security vendor community threw up their hands in dismay and declared that it was not possible to prevent bad guys from penetrating our networks. Our only hope, they would say, was to quickly detect them, once they were successful, and eradicate them from the network as soon as possible. The security vendors seemed to declare that threat prevention was dead, and our only hope was detection and mitigation.
That is the dumbest notion I have ever heard.
Threat Prevention as a Rediscovered Innovation
We can absolutely stop most of the known badness that black hat adversaries throw at our networks. We can’t stop all of it, for sure, but we can stop most of it. As a network defender, why would you leave that option off the table to simply rely on a detection and mitigation strategy? That obvious question has started to pop up on the radar of many network defenders whom I have talked to this year.
My CTO, Nir Zuk, is fond of saying that, if you are okay with the idea that some adversary will steal your most precious secrets right out from under your very noses, and your risk mitigation plan involves noticing that they were there after they are gone, then you should probably consider another line of work. [4] And he is absolutely right. When you say it out loud like that, you realize how crazy that sounds.
What I have noticed this past year is that the cybersecurity community has come back around to this notion that threat prevention is a key and fundamental element to any network defender’s plan. It has to work hand in hand with the other two requisite pieces: detection and mitigation, but it cannot be left out. All three are essential to the plan, but none are sufficient by themselves. Smart network defenders have never abandoned this idea. The rest of us are just now rediscovering it.
Conclusion
As I reflect on the state of cybersecurity during this 12th U.S. National Cyber Security Awareness Month, threat prevention comes to the forefront in my mind as something that has been old in the past but is new again today. As I travel around the world talking to smart people about security, this is what they are talking about: threat prevention is key and essential to any defensive program. It is as important as detection and mitigation but, more to the point, network defenders should not choose one over the other. They are inextricably linked together.
Sources
[1] National Cyber Security Alliance. 2015. “National Cyber Security Awareness Month,” StaySafeOnline.org. Last Visited 28 September 2015.
https://www.staysafeonline.org/ncsam/about
[2] Zetter, Kim. 2010. “GOOGLE HACK ATTACK WAS ULTRA SOPHISTICATED, NEW DETAILS SHOW.” Wired. Last Visited 28 September 2015.
http://www.wired.com/2010/01/operation-aurora/
[3] National Conference of State Legislatures. 2015. “SECURITY BREACH NOTIFICATION LAWS.” National Conference of State Legislatures. Last Visited 28 September 2015.
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
[4] Zuk, Nir. 2015. “Only a Platform Can Prevent Attacks.” Ignite 2015, Palo Alto Networks. Last Visited 28 September 2015.
/blog/2015/05/nir-zuk-at-ignite-2015-only-a-platform-can-prevent-attacks/