Emphasizing Detection and Response
Information security is often approached from a prevention-focused standpoint, with the primary goal of stopping hackers before they can strike. However, Alan Jones, CISO at MGT, believes this mindset is fundamentally flawed. In this interview, he challenges this prevailing focus and offers a more secure path forward.
What is your perspective on prevention, detection and response in information security today?
In the technology industry, information security is driven around the concept of prevention – stopping hackers before they strike. All our technology and expectations in the industry are built around that. I think that mindset is fundamentally flawed in several different ways.
The main reason is that many organizations don’t do security well. Most don’t do information security as a business. It’s not their focus. It will usually be secondary to their main objectives, and so the time and money they put toward it will be secondary to their primary business.
Also, bad guys are extremely good at information security. So, you run into a scenario where, in my opinion, it’s an unrealistic expectation to keep bad guys out of your environment all the time, every time. There are too many of them. They are too good at it. They have all the time in the world, and you do not.
Combine that with prevention-based technologies being the primary focus, which is only one layer of protection. What you have is a scenario where you create a single hurdle for an attacker and, if they clear that hurdle, it’s game over. They’re in your network and you’re done.
It makes much more sense to consider not only preventative security controls but also to have the ability to look for bad guys inside your environment. Then, if you do find them, respond appropriately.
To use a physical security analogy, a strongly protected business or building is not just going to have locks on the doors. It’s going to have a security guard in the lobby. They’re going to have cameras. They’re going to have guards controlling the building, and they’re going to have a plan to deal with someone when and if they get inside that building. The same is true for information security, but we as an industry have decided that having locks on the front doors and frankly in many cases, shoddy locks on the front doors, is all we need to do. And it’s just unrealistic.
What are the best ways for an organization to truly safeguard its environment and move past the single protection layer of prevention?
There are three primary elements and a detective area an organization should examine.
- The first is what we refer to as network security monitoring or NSM. It is when we are monitoring a computer network looking for abnormalities that could be indicative of malicious actors.
- The second is what we call endpoint security monitoring or ESM. ESM is similar to network security monitoring, but instead of looking at the network, we use a different technology tool to look at the endpoints. We’re looking at the actual computers.
- The third is called deception technologies. I’m a big advocate for this. It’s the equivalent of putting tripwires in your computer network. Deception technology uses files, computers, end-user accounts, or other trippers to deceive a bad guy. They don’t have production or business use, but they look like they do. A normal user has no visibility of those things.
An attacker will go and poke at those elements. When the tripwire trips, you know a hacker is there. The thing I like about deception technology is that they’re extremely high signal-to-noise, so you don’t get a lot of false positives. It’s very high fidelity in comparison to other technologies.
How affordable and feasible are these technologies to implement for an organization?
I would say it’s not feasible for most organizations to do it by themselves, because for most organizations, like I said at the beginning, are not in the business of information security. They don’t necessarily have dedicated IT personnel. They may or may not have the skill sets and the expertise needed. From that perspective, it’s not very feasible for them. However, that’s where security service providers like MGT come in. Bringing in consulting organizations like ours will help establish those programs, making it easy to monitor and respond when cyberattacks occur.
What’s your approach to implementing these security measures for an organization?
The first thing that we do is a baseline Information Security Assessment for an organization to determine where they are currently, what sort of information security technology they have, how it’s configured, what sort of policies and procedures they have in place, and what level in the business does the information security group have access to? In a nutshell, how seriously does this organization take security? That will show us where their security gaps are. So, we examine how to fill those gaps in the most cost-efficient manner possible. We’ll do things in a stepwise fashion.
For example, we might not say to client XYZ we want to implement endpoint security monitoring, network security monitoring and deception technology in your environment all at the same time. Instead, we might say, okay, this year we’ll get the most value by implementing some network security monitoring technology. Then next year, we’ll look at endpoint security monitoring. We’re gathering more information. We have even more improved visibility of their environment. What can we do to make things more difficult for adversaries, an organization might ask? Well, we can put tripwires in, and we can start implementing deception technology.
This is a stepwise approach over time. That usually makes this more palatable and cost-effective for an organization. It’s our job to be in tune with what our clients need.
Can you share examples of how your team has successfully helped organizations by implementing these protections?
We have helped clients get back on their feet after a cybersecurity incident has already occurred. In those scenarios, we will help them root out the bad guys, bring their network back online, and create a prevention plan.
There are also scenarios where we have successfully prevented larger-scale attacks. Because we could see when a customer was being targeted, we were able to prevent serious issues. We’ve seen both of those scenarios; the latter, fortunately, is much more common.
Overall, it’s more important that we provide a high-quality solution to our clients, creating win/win situations. If I can’t provide a high-quality solution to a client, be that because of finances, their unwillingness to make necessary changes, competitive pressures, or any number of reasons, we’re not going to do it. We don’t feel like it is in our clients’ best interest. I think that’s important too. Our goal is always to do what’s best for our clients and sometimes what’s best for our clients is not us.
How do you recommend approaching decision makers and making a case for a multi-layered security approach?
I think it starts by having a conversation with decision-makers about the reality of how attackers work. You have the conversation on their terms. Talk about a cyberattack in terms of potential losses to the organization, and what it costs to implement controls that can prevent those losses from occurring. Anything that they do should have a financial calculus assigned to it. Ask them, is the juice worth the squeeze? Is it a better financial decision for someone to run the risk of something happening? In some cases, the answer is no; it’s not worth it.
If we can’t implement a security framework that meets the needs of an organization and do it in a way that is less expensive than the cost of the organizations suffering a breach, we shouldn’t be doing it.
Learn more about how a layered approach to cybersecurity can strengthen your organization’s defenses.
To truly safeguard your network environments and move beyond the limitations of single-protection cybersecurity, organizations must consider adopting a multi-layered security strategy. We can play a crucial role in establishing and managing these programs. For more information on how we can transform your security, contact us today!