Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Biometric Passports Make it Harder for Undercover CIA Officers | Main | Friday Squid Blogging: Chesapeake Bay Squid »
April 27, 2012
Attack Mitigation
At the RSA Conference this year, I noticed a trend of companies that have products and services designed to help victims recover from attacks. Kelly Jackson Higgins noticed the same thing: "Damage Mitigation as the New Defense."
That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop attackers at the door to instead trying to lessen the impact of an inevitable hack. The aim is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server -- or merely stopping him from exfiltrating sensitive information. It's more about containment now, security experts say. Relying solely on perimeter defenses is now passe -- and naively dangerous. "Organizations that are only now coming to the realization that their network perimeters have been compromised are late to the game. Malware ceased being obvious and destructive years ago," says Dave Piscitello, senior security technologist for ICANN. "The criminal application of collected/exfiltrated data is now such an enormous problem that it's impossible to avoid."Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies. "Security traditionally has been a preventative game, trying to prevent things from happening. What's been going on is people realizing you cannot do 100 percent prevention anymore," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "So we figured out what we're going to do is limit the damage when prevention fails."
Posted on April 27, 2012 at 6:53 AM • 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Reader • April 27, 2012 7:22 AM
And in "fire prevention" they also are not embarrassed to install sprinklers.
Bobby • April 27, 2012 7:35 AM
does this mean that pen testing, BCP, DRR and forensics may soon be on top of the cashola chain?
Josh Jordan • April 27, 2012 7:43 AM
This is a good indicator that some companies would rather cover up an event, than properly mitigate. Ethical leaders understand that breaches will occur, and the bad PR from an attack is not as bad as allowing some innocent user's data be farmed silently.
This article makes me feel better about the direction of Information Security and Assurance, if you are hacked, admit defeat and mitigate any further damage.
Clive Robinson • April 27, 2012 8:41 AM
This "mittigation" approach is what you do with physical security.
It starts with the delaying tactics to slow entry down and works it's way through to making a claim on insurance and then the "re-build".
The simple fact is you cannot stop a determined and well resourced and skilled adversary. The best you can hope to do is "detect, delay, aprehend" and sweep up the mess.
Clive Robinson • April 27, 2012 10:01 AM
Slightly OFF Topic:
On a related note Nick Selby has an article up on CSO Online about the abhorant state of reporting cyber-crime to LEO's with the catchy title of,
There's No 911 for Cybercrime. If there were would you call it?
bcs • April 27, 2012 10:58 AM
"you cannot do 100 percent prevention anymore"
Wait. When has anyone *ever* been able to do 100 percent prevention?
Please will someone forward this to the TSA?
Lurker • April 27, 2012 11:54 AM
I can do 100% prevention of data theft.
I think it's called degauss and destroy.
Unfortunately, this imposes an infinite hassle on using the data as well. (As would be expected of any asymptotic function, really)
Snarki, child of Loki • April 27, 2012 12:36 PM
@Larry M:
"But windows' "malicious software removal tool"?"
It's been there all along!
FORMAT C:
anything else is an ineffective half-measure.
61north • April 27, 2012 12:39 PM
When I read this, I immediately thought that the same approach should apply to airline security. TSA has focused too much on the perimeter defense (security checkpoints) and not enough on the mitigation aspects (cockpit doors, air marshalls, armed pilots, passengers fighting back, intelligence, etc).
I suppose this principle applies to any sort of security. TSA and politicians just prefer to focus on the security theater because it's visible and gets votes.
Keith • April 27, 2012 1:13 PM
@Snarki
"format C:" was the way to fix those problems back in the 90s (mostly... virii could still infect the MBR back then if I recall which would survive format...)
These days we've got cloud services everywhere things have the ability to infect ever-present services: Network shares, sharepoint, commonly used devices (Flash Drive, cell phones, BT devices, etc).
The new "FORMAT C:" involves stripping naked and throwing everything into an oil can and setting it all alight along with your network and identify such as emails since most services are attached to those.
Roger • April 27, 2012 6:35 PM
"Relying solely on perimeter defenses is now passe -- and naively dangerous. "
Umm, relying solely on perimeter defenses has always been regarded as naively dangerous -- at least by the non-naive. Even in the early nineties we called that approach "candy security": hard and crunchy on the outside, soft and chewy in the middle. It was what security admins did if they inherited an unholy mess: the fastest was to get some sort of security happening was to add perimeter defense, but it was widely acknowledged that by itself this is totally inadequate, and a lot more needed to be done in "phase two."
DoctorT • April 27, 2012 7:24 PM
"FORMAT C:
anything else is an ineffective half-measure."
Even that is ineffective because it doesn't securely erase the volume.
Jack • April 27, 2012 7:39 PM
Hmm.. I thought all this talk of attacks was nothing more than fear mongering by software vendors and the government pushing for bigger budgets. At least that's what I've read here umpteen times. So, why would anyone care about mitigating an attack if they're not real? Doesn't make sense.
Brandioch Conner • April 28, 2012 12:15 AM
@bcs
"Wait. When has anyone *ever* been able to do 100 percent prevention?"
Exactly.
Computer security is not as difficult as is portrayed.
For each individual person or computer or application etc.
But NOT doing it 100% perfectly ... each and every time ... by each and every person ... or computer ... etc is even easier.
And there will be times when someone skips something or does it wrong or whatever and if one of those times happens to coincide with a cracker's attack that could exploit that ... you've just been cracked.
Nick P • April 28, 2012 4:51 PM
Ill leave a full comment later when im not working that elaborates. In short, we can prevent the majority of remote attacks TODAY using cost-effective methods, some 40 years old. These people need to stop pretending we can't.
Of course, monitoring and recovery are also important. I'd also recommend.a user-centric view of things accounting for both usability and stupidity.
Jurgen • May 1, 2012 3:42 AM
Wait ... Nobody remembers Winn Schwartau ...? http://en.wikipedia.org/wiki/Winn_Schwartau in particular his first book: Time Based Security. It was all known, and all of us ran for the quick fix ...?
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments