Prevention will fail. It’s time to invest in detection and response

A good example is the creation of the first acceptable Internet usage policies, which described what are employees expected to do in regards to Internet browsing. However, we soon realized there is no way you can expect an entire organization to fully understand what is legal, illegal or dangerous when browsing the Web. Some users will accidentally reach sites against the policy because of tricky redirections, some will be taken to these sites via phishing attacks and some will attempt deliberately browse them no matter what you wrote in your policy. I remember when we tried to create awareness and suggested users to common sense when browsing, but as you probably know,common sense is sometimes the least common of all senses.

Then we came up with the idea of enforcing policies using technology. In the case of Internet usage, this Web filtering technologies arose and solved part of the problem: if the site was declared as non-authorized or not acceptable, browsing simply won't happen and the user would be presented with a warning screen impeding further browsing. Of course savvy users found their way out, either by changing the proxy settings, using anonymizers, reaching VPN connections, etc., but the common user base hit the brick wall when trying to reach sites that were not allowed.

A step ahead
On top of that, we also found out that by preventing access to certain sites we could also prevent malware infections, as malware was primarily placed in sites which were subject to filtering, such as those serving illegal software or certain adult content. Apart from enforcing policies and taking care of isolated events of infection, no one thought about organized crime and sophisticated attacks. And that is something understandable.

Unluckily for us, attackers are always trying to be a step ahead and they soon realized how to overcome the investments in security technology and awareness. Think about the drive-by infections, which are those caused just for the sake of browsing a certain website. Malware can be placed in trusted sites, which are not going to be filtered as they are considered to be benign: news sites and social media are some examples. So if we are browsing a site that we trust that has been compromised, URL filters will not help you at all. You'll probably be infected, and your company will likely be compromised. Perhaps in the infection journey you may be lucky and your additional security measures -such as IDS or endpoint protection- will notice malicious content being dropped in your network or malware beaconing once the infection has happened. But forget about this if you're facing unknown attacks taking advantage of brand new exploitation methods, such as 0-days or any other type of tailored attack.

Adding detection and reaction capabilities
There are many reasons why these attacks succeed. One of them is that attackers are aware that in many cases, security infrastructure is there not because of cybercrime, but as a consequence of a journey that started many years ago with policy enforcement. In addition to that, overcoming signature based technologies is extremely easy for organized crime, and common sense and traditional awareness breaks down when attackers target the user's trust instead of the technology.

While having the basic preventive measures in place is a good idea to deal with the known threats, I think we all agree that no matter how many policies or awareness we have in place, users will eventually follow that malicious link, or simply browse the site they trust and suffer a drive-by infection. And that may bypass of all your security technologies, especially in case of targeted attacks.

This is just one of the many reasons you need strong security operations in place, and why do we need to invest in detection and response capabilities. We could write a similar article talking about e-mail, and we will reach the same conclusions. Prevention is not bulletproof and will eventually fail, and awareness is simply not sufficient. The bad guys will always find the way in. The only question is when. So get ready for it.