With Election Day around the corner, we thought it an appropriate time to take a look at the checks and balances model that has served the United States well for over two centuries, and think about how it might apply to a more modern challenge – securing your enterprise. A checks and balances approach aims to make sure all of the pieces work together to strengthen your overall posture.
The system of checks and balances in the US government was created to ensure that the three branches – legislative, executive and judicial – are held accountable to one another, and that no individual branch can take too much power.
Applying this concept to security, we can look at the three typical branches of a security program – Prevent, Detect and Respond.
- Prevention is about stopping the attacker before they get into your network.
- Detection aims to find hidden attackers that have made it inside.
- Response is about containing damage and retuning policies and procedures following a security breach.
Unfortunately, for years, we have seen an imbalance of power between these three branches. The majority of budget and time has been spent on prevention. For years, the industry has told enterprises they should keep adding to their security stack. The higher the walls, the more secure, right? The problem is, if prevention fails, how do you know? Do you have methods to determine what has gotten through? Are you waiting for users to call you? Is there enough balance of power in your detection and response branches to address the unknown?
“We must assume our systems have been, and will continue to be, compromised, which forces a shift in focus to how to minimize damage — either by improving post infection detection methods or by isolating the attack to minimize its impact,” said Neil MacDonald at the Gartner Security Summit earlier this summer.
The next chapter of our security odyssey begins with assuming we are in a state of continuous breach. The first adjustment – as Gartner suggests – is balancing security spending to fortify detection and response capabilities. A balanced program improves your overall posture and takes into account not only how to keep threats out, but also how to detect threats that get in, how to determine which of those can actually cause damage, and what actions must be taken to stop damage and continually strengthen your program.
A system of checks and balances enables breach defense. Rather than viewing the security stack vertically, we must start to think of it both horizontally and bi-directionally, where each control is constantly feeding and improving (checking and balancing) the others. Here are a few examples of how this can work:
- If you can trace malicious network communications back to the file and process that initiated it, your endpoint tool can examine all endpoints, on and off the network, to determine if other devices are infected.
- If you detect a new threat that has in fact penetrated your network, you can update rules in your SIEM or create new signatures in your AV, improving the verity of both these systems.
- If you prioritize true positives for responders based on risk to your environment, they can focus on threats that matter most. The more info you can provide them, the shorter the response cycle time.
These kinds of communications and continuous improvement cycles begin to create a breach resilient environment. While no form of government is perfect, just like no security program will stop 100% of threats at the door, one that offers a checks and balances approach is far less likely to go greatly awry than one where all the power resides within a single branch.