There's been a significant shift in cyber-attacks over recent years. Although we often call this change an increase in sophistication, it's really a response to how security strategies have been developed and executed. Vendors looked at the tradition "protect, detect and respond" chain and specifically targeted one element as they sought to build their market presence.
The reality we need a more complete defence that handles all three elements of the threat chain.
"We don’t see it as an exclusive choice. Prevent is still about a known bad," says Ian Farquhar, a distinguished engineer at Gigamon. "Frankly, if you make a block decision and get it wrong you're going to have a business impact and that's a very quick way for a security tool to fail".
Farquhar says the idea we can detect every threat out there is symptomatic of the Halting Problem first described by Alan Turing. This is the problem of determining, from a description of an arbitrary computer program and an input, whether the program will finish running or continue to run forever.
However, we are seeing the rise of prevention-based security says Farquhar. "We have systems now fast enough to keep up with 10 Gbps networks. On the other hand, we are now moving to 40 and 100 Gbps networks so we will lose the ability to do that".
Farquhar says we seeing tasks traditionally carried out on end-points moving to the core.
"We're seeing detect moving into the core. And we're seeing prevent moving to the core. There are core deployments of IDS-like devices because detection is really a problem of detecting some sort of signal. The amplitude of that signal at the edge of your network might be extremely low. On the other hand, the attack, once it's inside your network might be much easier to see."
One of the big challenges when countering cyber threats is the power imbalance. The bad guys can try to breach you thousands of times and they only need to succeed once. You can defend thousands of attacks but if one gets past your defences you're deemed to have failed.
But Farquhar sees things a little differently.
"Once an attacker is on your network they become a defender. It's our job to become the attacker and attack them and turn the tables. The more visibility we have, the more we can see, and the more evidence we have the harder it gets. They can try to emulate a bunch of normal behaviours but that's a high bar to meet to infiltrate an organisation".
Farquhar says all threats have to eventually traverse the network so it's the ideal place to detect malicious activity and stop it from causing damage.
"We're looking for anomalies," says Farquhar. "Things that aren’t meant to be there. Port scanning, unusual behaviour, unusual times of access, unusual location, traffic patterns that don’t conform to a known pattern of behaviour".
Another thing to look out for is the use of unexpected certificates. This assumes good internal discipline on what certificates are being used by a business as the presence of unexpected certificates is a strong indicator of threat and breach.
There is also a conflict between the way security teams and network teams are measured. For the network team, availability is king whereas the security team may be less concerned with uptime. When an inline security tool has the potential to stop the LAN, network engineers are reticent to hand that level of control over.
This leads to the business making decisions about whether it's more important for the network to be up or secure. Farquhar says he has clients who prefer to have the network down if it is not being monitored while others are assess their risk differently.
Although all this delves into the technical side of cyber protection and response, Farquhar has seen a major shift during his two decades in the industry. The C-suite is now very interested in security as it has a significant mearing on business execution and success.
Farquhar sees the focus is still on the consequences of cyber-attacks rather than the potential benefits of a robust and secure infrastructure.
"I can't say I have ever seen an organisation in Australia boast about how secure they are in any rational way. Banks used to talk about how secure they were but we don’t see people doing that around cybersecurity".
Company maturity, when it comes to cyber risk, is changing but there are still companies out there, says Farquhar, who take a "head in the sand" approach and believe they don’t have any risks. Others believe they are product that will protect them with more mature organisations taking a more nuanced, risk-based approach o how they assess and manage cyber threats.