A lot of folks in InfoSec would say that Confidentiality, Integrity, and Availability are the three concepts that make up cybersecurity. Well, there is some amount of validity in this argument.. but we’re not just talking about cybersecurity, we’re talking about security in general.
To that point, security of any variety, be it financial, physical, and even cybersecurity is built around three components: Prevention, Detection, and Response. The purpose of these components is to protect against loss.
Each industry defines loss differently and develops its own best practices, regulation, and technology that facilitate security strategies. Security strategies are either protection or response based; and detection mechanisms enable both protection and response based strategies.
A protection based strategy amasses resources in an effort to ensure loss never occurs. Response based strategies amass resources to ensure that the loss can be mitigated when it does occur. Some protection based strategies may be impractical or ineffective when used alone, while some response based strategies can be costly to activate frequently. For this reason, hybrid strategies are frequently used.
In my opinion, the best hybrid strategies involve deploying a response based capability focused on mitigating major risks and also deploy a supplemental protection based capability with the simple intent of reducing the likelihood of needing a response. In this case, the protection capability isn’t intended to prevent all loss, only the types of loss that create an expensive response.
To help understand it is important to discuss how each of the three components is used within a security strategy.
Protection is the concept of preventing loss altogether. When examining a familiar example such as a bank robbery, the protection mechanisms may include obstructive barriers, visible guards, and laws that act as deterrents. These mechanisms may physically stop the the bad guys in their tracks, increase danger of being arrested, or increase the duration of punishment when they are arrested.
In infosec, Protection is the phase where things such as firewalls, intrusion prevention systems, and user awareness come into play. The idea is that protection mechanism breaks the chain of attack before the destruction of equipment or exfiltration of data occurs. A majority of organizations deploy these technologies at the border of their network.
Organizations with robust security strategies deploy protection mechanisms in such a way that they fully thwart simplistic attacks and funnel more advanced attacks into their detection and response mechanisms. An example of this in cybersecurity would be closing unnecessary ports on a firewall and enabling a “honey pot” on a remote access port, such as SSH. The honey pot would never be used legitimately so all activity on that port would be suspicious, at the least. Further filters can be added to separate the simplistic attacks from those that are more advanced. This type of highly technical strategy would provide IT and cybersecurity staff the knowledge about the skill level of would-be adversaries, their techniques, and the source network address of their attacks.
Detection is the capability to identify loss or the potential for loss; ideally this happens before loss occurs or very quickly thereafter. Once a possible loss event Is detected, the loss event should be automatically prevented or an alert of some sort is sent to personnel capable of responding.
Keeping with the bank example, a detection mechanism may be visual identification of bank robbers, an alarm system that is active after-hours, or an alarm on the vault sensor that sends and alert any time the door is opened. In any of these cases, two events take place: The triggering event and the notification event.
Bank alarm companies have done a great job automating notifications after a triggering event occurs, such as a standard after-hours door alarm or glass-break alarm. However, visual identification requires a manual notification by a human, normally a phone call or a panic alarm. These are the areas where it is important to reduce friction, such as adding a panic button the bank tellers can press.
Cybersecurity also relies heavily on both automated and manual detection mechanisms. Sometimes a malware sample triggers antivirus. Other times, a malicious actor is logged in via a screen sharing session but the event goes undetected. Because of this, robust detection mechanisms should be improved to reduce the need for human identification.
These robust detection mechanisms should identify anomalies or signatures within a network environment based on experience an input provided by cybersecurity experts. This normally comes in the form of intrusion detection systems, antivirus, application whitelisting and variety of other technologies or trainings. As one can imagine, quite a bit of synergy exists between protection and detection, as many commodity threats are prevented as a result of being detected. Additionally, once a loss event is detected, the response begins.
Response is the last and arguably the most critical component of the security triad. Response is about the actions taken after a loss event or incident is detected and after prevention failed. If the bank robbers are inside the bank and stuffing money into their bags, the prevention strategies obviously didn’t work as planned!
Assuming one of the citizens or bank employees had the ability to notify authorities, the alert goes to a dispatch center where a dispatcher triages the alert. Based on a set of predefined procedures, the appropriate response is determined which, in this case, may be to send the Special Weapons and Tactics team to deal with the threat.
These types of response processes aren’t much different in cybersecurity and this one of the areas Horangi stands apart, incident response. Something bad is detected, a cyber-operator is notified, and a capable team of incident responders is deployed.
One of the major challenges that Horangi solves is that cybersecurity is a relatively new field and there are only a few clear procedures for either detecting or responding to cyber incidents. It’s difficult for organizations to know how a specific incident should be handled, and it takes the talent of experienced incident responder to navigate the crisis effectively. To compound this issues the number of trained industry personnel is very low so it’s hard or impossible to hire internal employees.
Because there are very few procedures or trained personnel, notifications frequently go untriaged, incidents are not identified and responses are not adequate. Many organizations are learning that Incident response, in any field, is not something that is effectively done as an extra responsibility; it’s a full time job with very strenuous training requirements.
To sum it up, banks are going to get robbed and networks are going to get hacked. Security strategies that only focus on preventing loss will eventually fail and a lack of investment in response capability leads to realized risk. Focusing on a dual response and protection driven strategy is the best way to hedge against the risk of a cyber attack.
