It seems that nearly every day there are reports of a new type of security attack or some major security breach. Many more go unreported. Overall the complexity of information technology architectures and their widely distributed nature encourage novel attack schemes which gives them huge financial, commercial, and political rewards.
This blog will look at the security challenge from three different perspectives.
First, security product vendors have their views of how to best address this market. Second, attackers view the challenge as how to best circumvent the vendor’s products. And lastly, researchers and security experts weigh in on why successful attacks occur in spite of the numerous security products available in the market. In this blog post and the next two posts we’ll look at each of these three perspectives and the dynamics between them.
Security Vendors Perspective
Security vendors frequently characterize their products as addressing a specific phase of the security attack. At a high level these phases might be called “Before”, “During”, and “After”. This is a logical characterization as the defense technology employed at each phase of the attack can be optimized to a specific vulnerability. The terminology used here to characterize this three-phase model is largely drawn from Cisco which provides a good starting point. The NIST model of Identify, Protect, Detect, Respond and Recover can also be mapped to the three phases.
Actions appropriate to the “before” phase can be characterized by the phrase “Discover, Enforce, & Harden”. In the “before” phase, offerings include firewall, patch management, application control, vulnerability management, VPN/encryption, and network access control. These products cover the critical “protective” steps.
Actions appropriate to the “during” phase can be characterized by the phrase “Detect, Block, & Defend”. In the “during” phase offerings include intrusion protection, anti-virus, and email/web content filtering. Here the attack is in progress or just a “click” away.
Actions appropriate to the “after” phase can be characterized by the phrase “Scope, Contain, & Remediate”. In the “after” phase there is intrusion detection, log management, SIEM (Security information and event management).
It is obvious that this three-phase approach, with well-defined functions supplied to each phase, provides an excellent model to support a wide range of product offerings. This is a product manager’s dream scenario as each product can have a well-defined feature set whose value can be easily communicated to potential customer. The product can be optimized for the specific defense type it provides and unrelated vulnerabilities do not have to be addressed.
This segmented approach addresses the “necessary” aspect of the problem but is it “sufficient”? The answer to this is largely dependent on the value of the target. For example, a residential or small business wireless router typically does not sit in front of the same pricy equipment and highly valued assets as the network of a financial institution or government organization. The cost and complexity of providing protection should match the “value” of the assets being protected. The obvious risk is the possible mismatch between the level of protection and the value of the assets. And even here there is the case where a large number of low-value endpoints (say thousands of personal computers) are breached and federated into a much larger attack (e.g. DDOS).
However, the sophisticated attackers are only interested in the success of the attack and will typically craft the attack to span all three phases mentioned above. “Before” – probe the target to identify weaknesses; “During” – launch the attack; “After” – clean up evidence of the target having been breached or leave the threat in place undetectably. The attacker’s perspective will be examined in the next blog post.