Published on March 29, 2013
"Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat."
Despite all the facile metaphors in common usage, the “battle” between information security professionals and their various opponents, hackers and thieves in particular, can not in any way be viewed as a war. That is due simply to the fact that the “battle” is entirely one-sided. The ‘bad guys’ conduct offensive operations, and we try to block them, prevent them from achieving their goals or mitigate the damage they can do when they are successful. It can’t be a war if only one side is attacking.
In a very real sense, it doesn’t have to be this way. It’s not like the developers, engineers and architects in the business IT community are helpless. Indeed, just last year information security website DefCon Russia, run by Alexey Sintsov operated a particularly aggressive honeypot, one that was built specifically to be breached by SQL Injection. Unfortunately for the attackers, a successful penetration resulted in the surreptitious installation of a backdoor on the attacker’s system. Sintsov is not a blackhat, so the backdoor was benign, coded to capture login and source IP information in order to deliver nothing more than a "gotcha" message. And, it turned out, a surprising number of of the exploits were either ultimately ineffectual script kiddies or other white hats looking for vulnerabilities.
In general, we are constrained by laws and ethics from turning the digital battlefield into a digital minefield. Regardless of our capabilities, we are limited to defending our perimeter and trying to prevent attacks and thefts. Even with the best forensics, attackers can seldom be identified, and are often far out of reach and invulnerable to any consequences. Adopting an offensive security posture, as attractive as it might be conceptually, isn’t an option that is available to those of us in the InfoSec field. Or is it?
Just because we can’t turn the hackers tools against them doesn’t mean we have to sit back and play defense. In the face of the current threat environment, merely reacting to an attack isn’t enough. We MUST adopt a more aggressive, proactive approach to winning this fight. But if hardening our systems isn’t enough, and we can’t counter-attack, what can we do?
The answer, just as it is on the real-world battlefield, is intelligence. If we can imbue our systems with the intelligence to know clearly and with certainty who the users are, what resources they are accessing and with what permissions, and most importantly what they are doing, not just at the network level but at the application/transactional level, and if we can see it all in real time, we can fight back within the confines of our own networks.
Securonix is the only tool that lets you adopt a true offensive security posture. By integrating all your network, user and security data, from logs to Directory Services and HR Data to IAM to DLP and Content Management to SIEM and other specialized security tools, Securonix lets you build a Security Warehouse where you can integrate all your critical security information in one place. Then the Securonix platform applies a powerful set of behavioral profiling algorithms so that you can identify suspicious, risky or fraudulent activity as it happens. No longer are you waiting for a vendor to update a signature or an auditor to discover discrepancies. Now you have actionable intelligence, and the opportunity to stop insider attacks, APTs, hacktivists, even zero-day exploits before they can do any damage.
Above all the obvious financial and technical advantages to a more aggressive information security strategy, there is a tremendous satisfaction in moving from a reactionary/defensive security model to a proactive, real-time posture. Instead of merely cleaning up the crime scene and looking for evidence, you can fight back on a level playing field.