Inside the security operations center at Pacific Northwest National Laboratory. Today’s columnist, Robert Boudreaux of Deep Instinct, says taking a prevention-first approach based on defense-in-depth can ease the burden on the SOC team. (Credit: Pacific Northwest National Laboratory)

The debate between prevention versus detection has long been a focus in the cybersecurity community, but does it need to continue? One of the most important topics in this ongoing debate has been the responsibility of the security professionals who design the security policies. Over the course of the past year, not only have we seen the sheer number of attacks rise, but the success rate of these attacks has netted greater returns for bad actors. Policies set on the “assume breach” mindset are partly to blame. This increasing volume and severity of attacks cries out for a prevention-first approach.

Set cybersecurity goals

In life, we set goals for ourselves, both personally and professionally. So, why not do the same when it comes to cybersecurity? Organizations must set goals to accomplish the mission of protecting the organization against a breach. Yet if we want to stop our adversaries from succeeding, why is detecting the threat after the compromise a reasonable goal? When we let them in, we lose control. Instead, why not focus everything we can on preventing the threat before it gets inside and then use post-compromise detection and response as the secondary action, not the first?

This basic shift in approach can change personal, organizational, and even societal outcomes. If we set a prevention security policy on all endpoints, we must also look at the operational process of deploying patches or new software to our endpoints. Some may think, don’t we already do this today? Don’t we have evaluations, training and change control for exactly this reason? Today, we do it with an “assume breach” mindset, not prevention-first.

When we look at annual goals, ask these pressing questions:

  • Did we consider the previous year’s results when setting annual goals?
  • Did we look at how the threat landscape has evolved and adjust both the approach and the goals to match the needed security?
  • Did we evaluate our security policies, training, and products to make every effort to prevent the threat the same as if we were defending our home or our family?

If companies aren’t asking these questions throughout the decision-making process, it’s worth considering. Issues such as employee turnover, zero-days, unknown threats, and new attack vectors will continue being a constant in our lives if we don’t change our mindset. The vectors used in the attacks now cross mobile devices, cloud storage, and, of course, endpoints of every kind. Attacks are sponsored by state-run groups and carried out by for-profit attackers. They are harder to detect and are often the uber-targeted that involves extensive research using a low-and-slow approach establishing persistence until they get to the most sensitive information. However,  they can also be fast, using ransomware as a service to go in for a fast grab. Let’s not forget that ransomware is rarely one-and- done. Attackers leave behind artifacts that allow them to come back two, three, or even four times to get as much return for their investment as possible.

Stay proactive with basic cyber hygiene

Security teams must think much more proactively. First and foremost, formulate a plan to evaluate the company’s security policy on a monthly or quarterly basis and make sure it matches the attack landscape today. Make patching and updates part of the security plan and budget. Evaluate employees’ security mindset and make them part of the overall security strategy. Finally, above all else, make sure the company takes a prevention-first approach. Changing the security mindset and approach can make all the difference in the world.

If an attacker gets inside the network, even if the security team detects the threat quickly, the team often determine if the attacker didn’t leave behind a dropper or artifact that allows them to get back in under the radar. When responding to those threats, cleaning up and remediation is expensive and time-consuming. A prevention-first approach can lower those costs and reduce the burden on the SOC team. But we are not talking about AV approaches of the past. New innovative solutions based on proactive AI using deep learning offers a new opportunity to truly bring a prevention-first mindset to your organization.

As always, follow a defense-in-depth approach. No solution will offer 100% prevention, but the organization can reduce the burden on its SOC team and lower overall risk by setting security policy to a prevention-first approach. This ultimately offers the SOC team the time and space to uncover the true attacks and stop them before the company experiences any damage.

Robert Boudreaux, Field CTO, Deep Instinct