When it comes to security, protection will fail. USB drives will be lost. Users will click on and respond to phishing messages. Malicious insiders will abuse their privileges to steal information and cause damage. Well-meaning insiders will accidentally delete data. Russia, China, organized crime and other traditional advanced persistent threats will compromise even the most sophisticated protection mechanisms. And all of that is OK.
What isn’t OK is to not expect failure and not plan for it by implementing adequate detection capabilities. Networks will be breached. There is no practical way to avoid that. But breaches are damaging only when they go undetected long enough for the adversary to accomplish its goals.
All industries expect failure in their protection mechanisms and calculate that into their business model. Credit card fraud is calculated into interest rates, and companies have departments devoted to dealing with the expected incidents. Retailers plan for shoplifting, calculate that into their margins and incorporate it into their accounting practices. Restaurants accommodate wasted food in their pricing. They accept failure of protection as a cost of doing business and plan for it by accounting for the loss while implementing the appropriate detection and reaction capabilities.
For some reason, though, the computer security world looks at failure of protection as unacceptable. But the truth is that security doesn’t fail until the adversaries have achieved their goals.
As we argue in our upcoming book, Advanced Persistent Security, security is a triad: protection, detection and reaction. While that is a military concept — an application of defensive information warfare principles, now more commonly referred to as cyber network defense (CND) — it applies to all civilian and commercial security programs as well. It is a fundamental acknowledgment that security is more than stopping bad people from getting in and preventing insiders from causing damage.
Let’s say that North Korea decides to get into Sony’s systems. Is it reasonable for Sony to assume that a state that devotes considerable resources to cyber offense would not find some way into such a vast network? The breach is acceptable — nearly inevitable, in fact. What is not acceptable is to fail to detect the exfiltration of movies, emails, sensitive data files and more. Similarly, once China set its sights on the U.S. Office of Personnel and Management systems, infiltration was pretty much assured. But it is not acceptable for the undetected attackers to be allowed to dwell on the network for more than a year while exfiltrating 21 million records.
All too often, detection is an afterthought. A lot of planning and money go toward hardening protections, and then an intrusion detection system or a security information and event monitoring system is tacked on. It’s not enough. Detection strategy and architecture have to be the equal of protection strategy and architecture.
Sign up for CIO Asia eNewsletters.