Are Detection and Response Enough in Today’s Threat Landscape?



Taking a closer look at a question that has been at the forefront of security professionals’ minds recently: are detection and response enough?

Many people are talking about what is considered by many security professionals (SOC analysts, security analysts, incident responders, forensic investigators, and threat intelligence researchers) to be one of the great debates in our industry today: Whether or not detection and response are enough to combat the threats being presented and/or experienced within the modern threat landscape. This is perhaps one of the greatest questions we face today in the fight to defend and secure our enterprises and personal computing environments.

Let’s start by taking a look at traditional threat mitigation solutions. There are many forms of detection and defense available within the market today and one could argue that for some of the less intelligent implements in their lineage extend back almost 30 years. With respect to the network we’ve seen and adopted solutions such as firewalls (which have evolved significantly throughout the last 15 years from basic ACLs, packet filters, stateful inspection driven engines and beyond). We’ve also seen the introduction and adoption of intrusion detection and prevention devices designed to first sit passively within the network in order to monitor anomalous and/or malicious traffic that “matched” something (signatures, regex, vulnerability data, etc.) defined and designed by the research teams powering those solutions. In some cases, those research teams were initially comprised of loosely knit confederations of users contributing what have been regarded as “effective” open source solutions.

Eventually these solutions gave way to the introduction of inline appliances which “changed the game” in network defense and security by “blocking” suspicious, anomalous, and malicious traffic and applications. Still other solutions were introduced to the network to further address the issues not addressed by these previously defined solutions. Some of these included, but were not limited to: SMTP mail gateways, web traffic content filters, and solutions designed to “make sense of it all” by introducing aggregation, normalization, and analysis of data collected from these disparate security platforms.

Later generations of network defense would include forensics-driven platforms which much like their earlier contemporaries; specifically intrusion detection and prevention solutions enabled visibility within the network complimented by threat intelligence that would enable security practitioners to first become aware of the threats present within and attempting to compromise their network environments, and second enable them to respond through the intelligent update of the solutions previously mentioned. Eventually new innovations were introduced which captured entity behavior via analytics which focus on the use of previously existing credentials and other information pertaining to authorized users within the enterprise environments.

Similarly, many defensive strategies and technologies were designed to mitigate threats at the endpoint. In many instances these were designed to address the failures in our network strategies and technologies. The earliest generation of these types of defensive technologies focused on pattern matching malicious code and content.

As mentioned previously some of these technologies have been in existence for almost 30 years, and though evolution and innovation have occurred within these platforms they are, at their core, still performing pattern matching. Why? Because for known threats there is a high likelihood that this will be both sufficient and cost effective for the environments utilizing the technology today. Furthermore, though they are sufficient and successful to a degree (the numbers vary with respect to efficacy), the vendors soon realized that they required different technologies to address the threats associated with local hosts. This lead to the introduction of what was originally known as the “personal firewall”, and later saw the introduction of host-based intrusion detection and prevention (HIDS/HIPS) solutions, along with anti-spam, anti-potential useless programs (PUPs), rudimentary behaviorally driven “signatureless” antivirus solutions, application controls, application whitelisting, data loss prevention techniques (file monitoring, device control, etc.), and encryption.

So back to the question, are detection and response sufficient for addressing the threats being presented and/or experienced within the modern landscape? My belief is that the answer is not on their own. A new era is here in the fight to defend and protect our enterprises and endpoints. It is dependent upon purpose-built applications designed to enable the SOC analyst, the security analyst, the forensic investigator, the incident responder, and the threat intelligence analyst with a “new form” of detection and response. One that takes into consideration those things which in many cases were over looked, left unattended or simply out of scope for many traditional defensive security technologies. From my perspective it is imperative that we couple these traditional technologies with this next generation of detection and response in order to create a cycle of mitigation which takes into consideration detection, response, prevention, and remediation.

Here at Digital Guardian, we are embracing a philosophy which is enabling us to do just that. We are focused on and dedicated to addressing the challenges that our current and future clients are facing from a threat-driven perspective by embracing and developing new technology which allows us to take a threat aware data protection stance. Our traditional products are known as being the best of breed from a data protection perspective on the endpoint and at the network level. With our Advanced Threat Protection products and services, we are striving to provide even greater visibility and awareness of threats within the threat landscape while also providing effective means for response, mitigation, and remediation. We believe that failing to do so would place our current and prospective clients at risk, ultimately leading them to fall prey to evolving threats which are being seen and noted daily by security professionals the world over. Threats which traditional security technologies fail to address and mitigate on their own.

Will Gragido

WHITEPAPERS

Stopping Cyber Threats: Your Field Guide to Threat Hunting

Will Gragido

Will Gragido is a seasoned security professional with over 20 years’ experience in networking and information security. Will’s extensive background is the result of his service as a United States Marine, a consultant with the world renowned International Network Services, Internet Security Systems (now IBM ISS), McAfee, Damballa, Cassandra Security, RSA Netwitness, Carbon Black, Digital Shadows and now Digital Guardian where he leads the organization’s Advanced Threat Protection Product Line as its Director.