Ken Ammon is chief strategy officer at Xceedium.
National Security Agency Director Adm. Michael Rogers recently stated, "Traditionally, we’ve largely been focused on attempts to prevent intrusions. I’ve increasingly come to the opinion that we must spend more time focused on detection." This is a troubling statement. Surely, detection is a key component of any security program. But should our government be spending more time on detection than prevention? The answer is no.
What’s Wrong with a Detection-Centric Approach?
The answer is best illustrated by applying this logic to other disciplines. Would you rather detect cancer or prevent cancer? Detect a crime or prevent a crime? Detect a security incident or prevent one? While detection represents a critical component of any complete program, a logical approach shows prevention is always preferred. The fact is that the majority of security incidents are the direct result of a failure to integrate security prevention into IT operations.
Over the past decade, security monitoring and IT operations have evolved into an “us” and “them” paradigm, which perpetuates the existing bolt-on security model. In effect, the more we invest in better monitoring tools, the more problems we uncover. The result is a game of security whack-a-mole where the moles outpace the security operation teams’ ability to mitigate the risk.
One example is poor credential management. Recent studies indicated a significant number of contractors maintained valid system administration login credentials years after they changed companies and no longer required access to the system. Given that all attacks follow two basic steps -- gain access and elevate rights -- this should be unacceptable to IT and security operation teams.
Most security incidents are merely symptoms of a combination of inadequate IT operational security controls, lack of defined and automated processes and lack of attribution. Lack of attribution, in particular, leads to situations where contractor “A” blames contractor “B” for deleting a database or shutting down a server. Without appropriate prevention platforms, security monitoring teams will continue to struggle with attribution and root cause remediation.
How to Build Prevention into Our Systems
At the core of the issue is a lack of leadership. Security budgets are typically small, with the exception of post-breach funding, when the money is deployed in a fashion that doesn’t address inadequate prevention. Many chief information officers survey the enterprise IT market landscape looking for someone who has gotten it right and, admittedly, they have struggled to find a replicable model based upon proven success. But cloud computing has permanently changed that landscape.
Gartner’s magic quadrant for public cloud providers has Amazon Web Services significantly ahead of the field with a proven track record of weathering the constant onslaught of global attacks, all the while serving a massive and diverse global market. The secret sauce: corporate leadership and a commitment to fully integrate IT and security operations. The combination of integrated security controls focused on least privilege and continuous monitoring keeps the game of security whack-a-mole in check.
The U.S. federal government continues to point to an integrated approach to security. The Federal Risk and Authorization Management Program, National Institute of Standards and Technology and the Department of Homeland Security's Continuous Diagnostics and Mitigation all bang this drum. In fact, the next phase of CDM is focused on least privilege and infrastructure integrity -- foundational elements of security prevention. Federal CIOs need to embrace this approach to succeed.
Ways to Strike Appropriate Balance Between Prevention and Detection
Our long history of bolting on or ignoring security has resulted in countless legacy systems with glairing security challenges, constrained operations and maintenance budgets. With Phase I of DHS’ CDM program rolling out over the next year, security monitoring will shine an even brighter light on IT operation gaps in process and accountability. Asking for additional funding to close these gaps is unpopular in general, but this is where leadership plays a key role. Congress and the executive branch must support additional security funding for the necessary prevention technology and the CIO must be aligned with the chief information security officer.
Departments and agencies should be replicating an existing successful model with least privilege enforcement and full attribution. Failure to adapt will leave contractors vulnerable to more efficient and secure IT operational models implemented by FedRAMP-authorized providers. The benefits to security monitoring teams can be dramatic and will include:
- Reduction in false alarms as the result of least privilege-related access controls
- Full attribution: no more confusion around root cause analysis
- Access to session recording, reducing log analysis complexity for security analysts
The last key element in security is to follow NIST’s “Common Control” approach: invest in foundational security prevention systems designed to centrally support legacy, virtual and cloud based systems. Centralized and automated controls will provide full attribution across all contractors and facilitate least privilege across all platforms.