Have we placed too much emphasis on an assume breach mindset?

Published: Friday, 25 March 2022 09:07

The assume breach approach is widely accepted as the starting point for cyber resilience, but is it helping organizations develop successful strategies? Chuck Everette thinks that it is not effective and in this article he explains why…

‘Assume breach’ became the defacto mindset for cyber security approximately 10 years ago, working on the premise that threat actors are already inside your network and, if you don’t stop them, an attack is inevitable. The idea stemmed from the notion that older prevention technologies based on signatures and rules were simply not effective at keeping attackers out.

Since this time, threats have continued to escalate both in number and severity. Breaches are no less common than they were 10 years ago and if you look at the fact that there has been a huge increase in ransomware attacks since 2019, should we still be placing as much emphasis on the philosophy?

Assume breach is a reactive approach, in a way it is almost giving up.

The problem with reactive security

Endpoint detection and response (EDR) tools were built around the assume breach mindset with organizations looking to identify suspicious behaviour that signifies an attack is underway.

Waiting for a threat to execute means SOC teams are racing against the clock to try and minimise damage. This is exacerbated by the fact that typical EDR tools will produce a very high volume of threat alerts, many of which will be false positives. As a result, SOC teams will be constantly pulled away from more valuable proactive tasks to investigate bogus alerts. With most SOC teams suffering from the on-going security skills shortage, already limited resources are reaching the breaking point.  

IBM’s 2021 Cost of Data Breach report estimates that it takes an average of 287 days to identify and contain a breach, this is up 10 percent over what it was in 2015. We need to reverse this trend. Overworked SOC teams who are constantly fighting fires are more likely to miss the alerts that signify the most serious threats, resulting in longer dwell times as attackers circumvent controls undetected.

Why threats are increasingly bypassing EDR

For an EDR-led strategy to succeed in fully defending the network, it must have full visibility of every endpoint connected across the network, as well as the ability to reliably identify potential threats. Unfortunately, neither of these criteria is likely to be attainable.

Research from Deep Instinct found that just one percent of organizations believed that all of their endpoints were protected by their EDR solution, leaving dangerous holes in the fabric of their security strategy. These gaps have been widened by the increase in a remote workforce and BYOD.

EDR tools rely on behavioural analysis, looking for deviations from normal behaviours that indicate a threat actor is attempting to infiltrate your network via file-based or fileless malware. EDR must see behaviours to indicate a threat has executed on the endpoint, and while EDR does catch certain types of attacks very early in this process, many others are much further along in the attack cycle before they are detected.  Threat actors are also continually improving their own evasion techniques to bypass EDR controls until it’s too late to stop the breach.

The fastest ransomware variants need just a few seconds after executing to begin encrypting files, while most EDR solutions need several minutes to detect a threat, some take hours, and most often it is when an attacker begins to encrypt files that they are caught. Even if detected early, attackers may have left artifacts or droppers or installed a backdoor leaving room for re-entry and further exploitation of the network.  Attackers will often have already exfiltrated data before they started encryption leading to double and triple extortion demands.

Why it’s time to reduce our reliance on assume breach

As mentioned earlier, since 2015 the average number of days to identify and contain a breach has risen.  Given the investments in people, process, and technology we should be more successful keeping attackers on the outside of our networks. Is it time to take a hard look at this emphasis on assume breach?

Prevention got a bad rap, when AV solutions could only prevent known attacks. NGAV (Next-Generation Antivirus) has improved by adding machine learning (ML) but it’s still based on known threat vectors, relies on threat intel feeds and suffers from a high false positive rate.  The efficacy is just not there.

But again, this does not mean we should give up. Greater prevention is the goal for most organizations they just don’t know how to get there.  A prevention-first approach has the protentional to greatly reduce the number attacks, lower SOC operational costs and speed up investigation and remediation for the highest severity threats.

Deep learning offers the potential to make a prevention-first strategy a reality.

Deep learning is the key to proactive security

As the most advanced form of AI, deep learning (DL) can bring a proactive approach to prevention by enabling organizations to stop an attack before it can execute and write to disk as opposed to reactive machine learning approaches which rely on detecting behaviours after the threat executes on the endpoint.

A deep learning-based solution is more accurate at uncovering threats because it analyses the entire contents of a file to understand if it is malicious or benign by understanding the DNA of an attack without knowing its hash in milliseconds. A solution that is based on deep learning can prevent previously unknown malware, malware variants, ransomware, and zero-days, as well as fileless attacks such as code injection and PowerShell.

A deep leaning-based security solution should also lower false positives to less than 0.1 percent. This means overstretched SOC teams can breathe a sigh of relief as they receive fewer alerts, and those that do arrive are very high fidelity.  Fewer alerts enables your EDR solution to do what it was built for, to correlate high fidelity events and stop threat actors before they can breach the network.

While deep learning can provide great benefits, its effectiveness cannot be guaranteed if the framework was not built for cyber security.  An open-source framework developed for image recognition will not provide the same results. It should be at the core of a solution and not bolted-on after the fact.

Deep learning provides the potential for us to reduce our reliance on ‘assume breach’ mindset and swing the pendulum towards a highly effective prevention-first approach.  It’s worth taking a look at your cyber resilience strategy and asking yourself if there isn’t a better way.

The author

Chuck Everette is Director of cybersecurity advocacy at Deep Instinct