Information security vendors are telling customers to think in a new way. At the core of their advice is the idea — the admission, if you like — that no matter how good the defences they sell, sooner or later the bad guys will get through.
Trend Micro's version of this advice follows the now-standard narrative. Attacks are becoming increasingly targeted and mumble mumble advanced persistent threats (APTs) Chinese hackers eek. Good-enough security isn't good enough to divert a targeted attack to an easier target — because that's not who they're after.
"If there is some reason that I have something of value, they can and will get in," said Blake Sutherland, Trend Micro's vice-president of strategic markets, at a media briefing in Sydney earlier this month. "The question is, can I put the controls in place that allow me to get visibility quickly and determine who's attacking me?"
Traditional defences were like putting on a suit of armour that didn't have a visor to look through, he said. They tried to stop the attack while doing little to identify the attacker.
The message? Security systems need more than a defensive perimeter or here-and-now real-time traffic analysis. They also need processes for responding to break-ins once they're eventually discovered, and processes for improving the defences to remove the risk of a repeat incident.
"A lot of these new technologies are trying to give you far more information — whereas AV [anti-virus] in the past was just 'Keep it away!' It's bug repellant. Well now we want to know if that mosquito's got malaria," Sutherland said.
Of course a new way of thinking needs some nifty slogans and explanatory diagrams. Trend Micro's four-step model — let's call it D-A-A-R — is typical of the genre.
- Detect the targeted attacks. That means you have to watch and log events to begin with.
- Analyse the attacks, to determine its scale and risk. and identify the attacker.
- Adapt your defences to protect against future attacks.
- Respond to the attacker, using what intelligence you've gathered to contain and remediate the threat.
Of course the real strength of D-A-A-R, at least for Trend Micro, is that thanks to a very handy coincidence it maps onto the marketecture of their Custom Defence product line. Of course it does. But that doesn't matter, because that sort of model is actually good advice.Indeed, D-A-A-R is not so different from last century's "traditional" information security cycle. Protect, Detect, React. Protect the network with a firewall, sure, but also monitor its logs and deploy an intrusion detection system to detect problems, and have a process in place for reacting to incidents.
Given the various extended versions of that paradigm — such as Protect, Detect, Test and Verify, Respond and Remediate — the similarity becomes even clearer.
There's nothing wrong with repeating some security essentials in a fresh form, particularly when circumstances are changing. As James Turner, security analyst with IBRS, put it, "I think the value out of this conversation is that it's got to be the shift that we see across the entire industry in terms of the culture around security events."
Turner cited the recently-revealed hack of the Reserve Bank of Australia as a prime example. "There was an employee that went 'Something's not right here', raised the flag, and by all accounts they seem to have done a good intercept [in terms of preventing data exfiltration]."
Vendors like Trend Micro don't develop similar models because they're copy-cats. It's because they're all looking at the same infosec landscape.