We’ve all been there before. Something unforeseen happens that triggers a panic response. More often than not we look back at that response and wish we could have done things differently.
What we’ve all learned along the way is that panic triggers a response that often leads to potentially catastrophic mistakes. Those mistakes come as we grasp for short-term fixes that give us a stronger sense of control, but don’t take long term consequences into account.
On October 14th, Microsoft’s “Patch Tuesday” took on a new sense of urgency as we learned of three new vulnerabilities that were actively being exploited in targeted attack campaigns. Microsoft released 24 patches in total. Oracle also released patches for 154 new vulnerabilities that were discovered. Adobe issued security updates for Flash and ColdFusion. For many this triggered an immediate response to begin the tedious process of upgrading security patches and signatures. Some simply don’t have the resources and will get to the upgrades as soon as they possibly can.
Assuming you weren’t one of the unlucky attack targets, the upgrades should resolve any concerns…this time around. But how many security alerts are you dealing with on a weekly, monthly basis?
For many, patch management has become a sore topic as it’s virtually impossible to stay on top of. But security efficacy takes on many shapes and sizes across the organization and despite it’s pain, patching remains a crucial process in any security operation. Or does it?
If you examine the recent exploits that utilized either an unknown zero-day based vulnerability or a vulnerability that was known but had not yet been patched, you’ll see these exploits share a common set of traits. In order to execute they must follow a very well defined and finite set of exploit techniques in order to compromise the system. In fact at latest count there are only 24 techniques at an attacker’s disposal. And in most cases attackers have to employ three to four of these techniques in succession to exploit a system.
So conventional wisdom says, ‘“If I can figure out a way to disrupt or prevent just one of those steps from being used, the attack itself could be blocked.” And a couple innovative companies are now bringing this approach to market not only for exploits but also malware-driven attacks.
With the news of a fresh round of breaches at Dairy Queen and Kmart, on top of a busy week of security patches, many organizations are falling into the dangerous path of making potentially catastrophic strategy shifts. Partly due to coercion by an industry that’s pushing a very clear agenda around detection and remediation. Backed by alarming statistics of attack dwell times, increasing costs of breaches, they’re creating a picture that prevention is futile and that organizations should shift resources to a new fall back position. Ridiculous!
I’m certainly not going to stand here and say detection isn’t important. But shifting valuable resources away from prevention so that you can more quickly detect and remediate the attack that’s most likely already achieved its objectives is an ill-conceived response that will ultimately lead to catastrophic results.
Prevention isn’t futile; remediation is. Because those companies who come in and charge $20,000 a day over an average of 31 days to clean up and remediate your systems do nothing to get back what was stolen. There’s no Navy Seal team who infiltrates the Russian organized crime team to re-take your stolen credit cards, medical records, or design documents. That’s remediation. Hold your line. Know that prevention isn’t futile.
Take this opportunity to rethink about your overall security architecture. Are you utilizing the next-generation security platforms that now exist? Ones that combine network, cloud and endpoint security. The technology exists to truly prevent these attacks from ever achieving their objectives.
Step back; don’t panic. Take the time to architect a top down approach that reduces your attack surface by safely enabling your applications, users and devices. Implement automation to protect against both known and unknown threats, eliminating the ‘man-in-the-middle’. The capability exists; it’s just a matter of taking a breath and collecting the courage to drive real change across your organization.
Scott Gainey is the VP of Product Marketing and Programs at Palo Alto Networks. He is responsible for formulating the vision, definition and delivery of programs aimed at driving Palo Alto Network’s growth in security, and cultivating opportunities in new and existing markets. Gainey has over 18 years of experience in security, cloud computing, storage systems, and enterprise networking. Prior to joining Palo Alto Networks Scott held leadership positions at Cisco, Xsigo Systems (bought by Oracle), NetApp, VERITAS Software (bought by Symantec), and Sun Microsystems.