Reversing the Asymmetry Between the Attacker and Defender

In the world of cybersecurity, the relationship between the role of the attacker and the role of the defender is a highly asymmetric one. The defender has to defend against all possible points that can be breached while the attacker has to exploit just one vulnerability. This asymmetry is one that highly favors the attacker.

Many of today’s cybersecurity deployments are based on a perimeter centric model that aims to restrict malware and threats from breaching the perimeter and keep users and assets within the perimeter secure. This model is one that plays directly to the asymmetry and advantage of the attacker. Consequently this model has failed to achieve its goal and the results show in terms of both the volume as well as the magnitude of many of the recent breaches.

What is noteworthy is that very nature of many of these breaches has evolved over the last several years. In contrast to the viruses and worms just a few years ago which would rapidly propagate and leave a trail of destruction in their wake, many of today’s breaches are aimed at gathering large volumes of confidential information over extended periods of time. Many of these breaches now take place over multiple stages, in a very stealthy manner. For example, once a piece of malware has breached a target user’s system, it may propagate “low and slow” across the organization. In other words, the malware attempts to evade detection with the aim of spreading deep and wide within the organization. During this process backdoor channels of communication with command and control centers may be established. See the “Addressing the Threat Within: Rethinking Network Security Deployment” whitepaper for more details. This low and slow propagation can take weeks or months. Data gathering begins next, during which large volumes of confidential data are gathered and finally exfiltrated. In many cases the organization realizes the extent of the breach, only after exfiltration.

Understanding this lifecycle is the key to attempting to reverse the asymmetry between the attacker and defender. There is a growing consensus that the focus has to shift from a perimeter and protection centric model – which highly favors the attacker, towards a model that assumes that adversaries will break into the network. In other words the focus has to shift in favor of a detection and containment model. This shift in the security model also provides the best opportunity to reverse the asymmetry. Once the attacker has breached the organization, in order to maximize the footprint of the breach, the attacker now has to take every precaution to evade detection. On the other hand, the defender has to now find one fingerprint that leads to the presence of the attacker. Consequently, the phases such as lateral movement of malware within the organization, the attempts at establishing backdoor command and control communication channels, and data exfiltration attempts, present the best opportunity to detect and contain the threat, and restore the balance in favor of the defender.

This does require building and setting up systems that are increasingly focused on detection from within. However, within the organization’s infrastructure, the volumes of data that need to be examined are large. The growing use of encryption and the mobility of users/devices/applications, create additional blind spots and add un-predictablity in terms of consistent access to relevant data.

Consequently this shift from prevention to detection requires a new deployment model for security systems – a model that ensures consistent access to relevant data from physical and virtualized systems, regardless of location, or use of encryption technologies. GigaSECURE, Gigamon’s security delivery platform provides the first such solution by taking a platform based approach for the simultaneous deployment of a variety of security solutions in this new world of cybersecurity that is increasingly focused around detection and containment. For more details see here.