There’s currently so much emphasis in the cyber security market space on after-the-fact visibility into what bad things just happened. So much energy, time, money, strategy and dialogue about it, writes Scott Scheferman. The trouble is, it comes at a cost. For every moment we spend reacting, tracking down root cause analysis, examining forensics, peering at visibility, offsetting risks, running playbooks and all the rest, we lose a moment to forge ahead.
Some commentators argue that prevention has failed us and, hence, we should retreat into reactive after-the-fact strategy and tooling. How many times must the bells of resilience and acceptable risk ring in our ears? Those concepts serve the business, and they’re most certainly needed for us to message internally to other C-Suite, directors, investors and customers alike, but these are not the concepts that should form the premise of our cyber security strategy as CISOs and SECOPs.
Do we not realise the starkest of outcomes? Even if we were are able to have perfect visibility, perfect forensics, perfect root cause, perfect cyber insurance, perfect human expertise and perfect cloud-based intelligence and visibility, we still wouldn’t solve the one thing that will always overwhelm and outpace those controls.
Visibility after the fact: a losing position
Here we all are. On our heels, drowning in alert data, suffering from analysis paralysis and witnessing the burnout of even the greatest minds we have in our industry.
Here we are as an industry that continues to pour money and investments, time and strategy into a massive security stack that strains SECOPs to the brink. We’re digging ourselves into a hole that we may not be able to dig ourselves back out of if we don’t rapidly shift strategic focus.
Here we are thinking that hunting for threats already running in the environment is somehow proactive, empowering or, worse still, sexy. If you are hunting around in an after-the-fact universe of events, you are not the hunter. You are, by definition, the prey.
Here we are still chatting about breaches because those are easy to tally the per-unit impact for, and subsequently offset via insurance. A 2013 story that we are still wrapping our heads around as if tomorrow’s breaches will be the same low and slow TTPs we fancy we might hunt for and be ahead of… By days? Weeks? Hours, even? Why would tomorrow’s breach need take any longer than today’s destructive worms?
Why would the same threat actors not employ both data theft and destruction into the same campaign? Oh wait, they already have been for the better part of 2019…
The cloud: no place for threat hunting
Here we are, caught up in the Herculean move to the cloud, but are we stopping to assess some of the most fundamentally basic weaknesses it will always have? For all of its virtues, the cloud will always be latent when it comes to addressing run-time threats on traditional IT endpoints. Even all the workloads we are moving to the cloud still have run-time security challenges that can outpace a cloud-to-cloud connection.
The cloud will always be a tethered affair. The cloud will always be on someone else’s steel, upon which there are up to 100 sub-operating systems, half of them Linux, and a large percentage of which have full access to the bus the OS is forced to entrust. The cloud will never be where your users are… the humans you are striving to protect. The cloud is homogeneously strong, and yet homogeneously weak.
Most importantly, the cloud is a temptation. A temptation to build out intelligence platforms. While it will always exceed in this capacity, it can never guarantee that the intelligence needed to make decisions and take actions faster than an adversary will be computed and delivered in time to actually make a difference in stopping today’s automated threats.
The key challenge for all security going forward can be reduced to this: can you make a high enough confidence decision or allow a high enough confidence automated action, fast enough to matter, and without reliance upon a tether to the cloud?
By next year, over 95% of all new vehicles will have autonomous automatic braking. Ask yourself why this is so. Of course, the answer is because machines react faster than humans, never lose attention and never tire. Now consider whether you would buy a car where this life-saving technology was being farmed out to a cloud server rather than being done locally on the machine.
The point is we use the cloud where it makes sense to do so, and not where it doesn’t. Why would anyone think it makes sense to try and beat malware anywhere else but on the machine right where the malware is located? The cloud has an underbelly exposed to many swords, chief among them being the time penalty itself.
Winning on the device
As this industry heads into 2021, let’s make sure we’re lucid in this one critical regard. We know that attacks have entropy, that they devolve into a fog of war, that they expand and that they cause exponential impact to an organisation as every minute, every moment, goes by.
Yet here we still are, heading into the year 2020, and we haven’t solved the single most important challenge of our era: the process-level microsecond run time universe in which the adversary has always had the upper hand. They’ve been ahead of us there, and they’ve enjoyed being so for far too long. The moment an unauthorised process completes tasks in memory is when we lose security control and are on our heels. Never mind zero days. Call this ‘moment zero’, after which the pain begins.
What exasperates the situation even further is that this type of fast-moving threat is now found in both nation state APT campaigns as well as commodity criminal/underground campaigns, making the sheer volume and diversity of the ‘speed’ problem more profound than ever.
An Emotet-weaponised Word document is clicked and, in under three minutes, over 230 file events happen, 12 network connections to nine malicious hosts are made, 46 new malicious processes spin up and 12 files are manipulated. That’s just on the patient zero host… before the same thing begins to play out host after host in the network and before any secondary payloads or actions by a human attacker are commenced.
This is a code-on-code battle being fought in the time domain of seconds and microseconds. Yet we see breach reports like IBM’s 2019 ‘Cost of a Data Breach Report’ exclaim that the average time to identify a breach is 279 days… a far cry from the 171 seconds (22 seconds for Emotet and 149 seconds for its payload) that it takes Emotet to cause a severe impact. The same report offers hope, reminding us that we can save $1.2 million on average simply by containing the breach in under 200 days. Great. It will only cost you $2.7 million at that point!
All of this is orthogonal to the core challenge at hand. We need to be ahead of threats whether we’re talking about ransomware or worm incidents that cost us $75 billion per annum, or we are talking about after-the-fact breaches that cost us another $16 billion per annum, or both.
The age of the slow-moving breach story has come and gone. Now, we must shift our strategies towards the current and future threat landscape and realise that every minute we spend tooling for the after-the-fact past is a minute lost in being ahead of the adversary in ways that actually move the needle.
In our quest to become merely ‘resilient’, we’ve exhausted the traditional means of risk offset, hindsight due diligence and after-the-fact busyness. We’re all collectively at the ultimate precipice. It’s time to leap off and do so out of sheer necessity because we cannot look forward and prepare properly if we’re constantly steeped in the past.
Scott Scheferman is Principal Security Technologist at SentinelOne