Prevention Is Ideal But Detection Is a Must Strategy

When I say, “prevention is ideal but detection is a must,” I’m talking about preventing the adversary from penetrating, and really focusing in on these areas. We can limit the information that’s out there. We can control and stop the payload. We can stop executable for money.

I went through those solutions by application white listing. This will prevent and stop the launch per percent of this from occurring. Even my secondary option of running web browsing and email clients in virtualized environments will also prevent and stop this from happening.

So when we’re talking about trying to prevent the adversary we’re really trying to control the delivery and execution. We’re focused on what gets delivered to your system and what gets executed on your box. We can start to prevent and stop that.

From a detection capability, we’re really looking at what is the network patterns and the network traffic that’s occurring and happening on the system. I am a real real big believer that when it comes to catching adversaries, “network forensics” is the way to go. Reason being, if somebody compromises and takes over a computer, it can be really hard to find evidence. However network traffic packets are packets are packets.  You can’t hide. So now by going in and looking at traffic patterns network flows and connection characteristics we can actually detect and catch that adversary.

When we’re looking at the detection, we’re looking at the network patterns that are occurring. There’s also a very important subtlety here that I want to draw out when I’m talking about prevention and stopping this. Most of this occurs on the inbound traffic. So, I’m really talking about inbound prevention. I’m looking at what’s coming into my network inbound and trying to prevent, stop, or limit that. When I’m talking about detection, I’m really focusing on what’s leaving my organization or what the outward bound traffic is.

So what we’re really getting into here is inbound prevention and outbound protection. Most organizations try to do everything inbound. Preventing inbound is good. But if you try to detect an adversary on inbound traffic, it’s way too noisy, too stealthy, & too difficult. You’re not going to win there. The outbound traffic is where you’re going to detect and find those adversaries.

What are some actionable things that we can do on the preventive side? Limit visibility. Reduce the exposure within your environment. When organizations first started deploying networks in the late 90s, adversaries were targeting systems of public IP addresses. So we took every system that had a public IP address, put it on an isolated network (called a DMZ). We locked down, secured, and patched those systems. Then we firewalled them off from the rest of the network. We made those targets very difficult.

We actually caused the problem we have today, because whenever we make something too difficult for the adversary, they find a different way in. So those systems on DMZs are very hard to break into. They are hardened. They are locked down. They have limited visibility and they’re isolated from the rest of the network. We’ve, then, created our internal network to have this really strong perimeter but everything inside is pretty open.

We thought, in the 90s, there was no way to break into a computer with a private IP address. We felt all of our systems that had RNC 19 18 addresses were going to be secure and protected. We just had one big network where they were there.

Well guess what?

Via the e-mail, Web, and other mechanisms, the adversaries figured out how to penetrate that perimeter. When they get into one of those systems, they have full visibility into all the other networks.

We have to do the same thing we did 20 years ago. We need to take all those client systems, put them on separate isolated segments, firewall them off, lock them down, and limit any sensitive data. Then, if they get compromised the amount of exposure is limited.

Here’s the problem today. If you compromise a client computer on the private network, it will be able to see 8000 servers. What if we take all of our clients, we break it into groups of 50, put 50 systems on isolated segment, firewalled off from the rest of the network? Then, if one of those clients get compromised, you can now impact 50 systems instead of 8000?

That’s the approach we want to take. Start limiting and controlling visibility. Start locking down our environments.

For more tips on staying safe in cyberspace, keep checking out my blogs or follow me on Facebook, Twitter, or Linked In. For your own company’s security assessment or any other questions or concerns, reach out to me at