In his recent keynote at RSA Conference, RSA Security president Amit Yoran said that “prevention is a failed strategy, but if you continue to invest solely in prevention, what good are you getting from it?”
Ahead of that, I had the chance to meet with Dan Wiley, head of incident response and threat intelligence at Check Point Software Technologies. The company was announcing its SandBlast Zero-Day Protection solution, which has a threat emulation engine to pick up malware at the exploit phase, even before hackers can apply evasion techniques attempting to bypass the sandbox.
Wiley said that this was another evolution for the 20+ year old company, and it sees that as endpoint security is failing, with attackers modifying to be more dynamic, protections are breaking down.
“Once companies realize who the attackers are and are at a level that they cannot do anything about it, if it is nation state actors what are you going to do about it? You need to detect but prevention should stop this in the first place. We applaud Mandiant and those companies, but what is the customer going to do about it?”
Wiley went on to make the bold claim that it is about “prevention rather than detection”, which seemed to go against the grain of common security advice. I double checked that this was what he meant, and he confirmed it.
“Every case I work with is to contain the impact of the event, understand the components of the event and create protections so it doesn’t happen again,” he said. “That is where the industry often falls down and I am trading my lion’s share of the effort to apply them into preventions to make sure it doesn’t happen again.”
He detailed a recent example, where a company was dealing with ransomware and within a few minutes had the indicators of compromise and could translate that information into prevention. “The company didn’t have detection technologies turned on, and needed an expert to deploy them and often we see that the user needs another hand or two to convince them for the technologies,” he said.
“Our customers buy our prevent and detect technologies but put them in detect only mode as the industry has said to give up on prevention, but the problem is you need threat experts to take it from detection and remediation to prevention, and there is not enough expertise inside an organization.”
Wiley said that the biggest problem in detection is time, as you have seconds to deal with an incident, and humans do not operate at that time scale. Also, there is a problem with context, and if you subscribe to threat intelligence – you need it to be tailored to you which can cost millions of dollars a year, and there are few companies which can afford that.
“Just having intelligence without the people to process it, it becomes less useful,” he said. “Our goal is to add intelligence to customers, and share information with customers. We use that to create security sets but the difference is the scale as we concentrate on all customer sizes and it is usually top 500 and they do not see the mid-market, where there is not much APT and a lot more crimeware and a lot more ransomware, and those attacks are more similar and large in scope.”
Often, Wiley said that customers don’t have advanced technology to deal with an event and it is called in to help resolve it. “We look at it from an attacker’s point of view and see if your infrastructure can withstand an attack, and bring the ability to fight the fight,” he said.
“You pick up the phone and get a 20+ year expert and give the client instant gratification – but our USP is speed to response.”