Ending the Cybersecurity Arms Race
Network security has always been something of balancing act between maximizing sharing and ease of use, and erecting barriers.
When computer networks first emerged, there were few limitations on what could be transmitted over them. However, after the world’s first major network computer security incident—the Morris Worm of 1988—organizations began to retreat behind network-level firewalls and anti-virus software. Some defenders even tried to completely disconnect their networks from the outside world via “air gaps.”
This paper argues that it is time to move beyond the security paradigm of separating networks, as epitomized by the air gap. Instead, network defenders should embrace an approach which allows sharing and connectedness, anticipates that adversaries will penetrate the network, and is able to detect, and ultimately eject those adversaries before they can do harm.
In Part 1, we trace the history of network security. While the Internet was designed for maximum flexibility, and security was initially managed at the level of each end-point in the system, this changed with the introduction of firewalls and anti-virus software.
In Part 2, we show how the use of these barriers then started an arms race between attackers and defenders. As defenders tried to filter out all malware using anti-virus software, attackers developed new ways of masking the malware they produced. As defenders built more complex and layered firewalls, attackers probed for new ways to penetrate those walls.
Part 3 then looks at the logical extreme of the barrier-based approach to network security, the air gap, in which a system is disconnected from the rest of the cyber world. However, air gaps do not solve the problems of network security. If using isolation to defend a network, defenders must be perfect—needing to anticipate and prevent all attacks—while the attacker need only find a single flaw in the defense. The Stuxnet malware pointed up the limitations of an approach to network security that relies on isolating resources, while the Snowden leaks showed that even a perfectly separate network is vulnerable to insider threats.
Part 4 argues that an approach to security that emphasizes detection of an adversary and ejection once detected helps to stop the debilitating arms race in which, to this point, defenders have largely been on the losing side. With a “behavioral monitoring” approach to network security, the adversary must find a perfect strategy that blends into the normal use of the targeted system so well that their attack cannot be detected, and the defender need only find a weakness in that strategy. This approach therefore takes the advantage from adversaries and shifts it to defenders.
We conclude by explaining how, in practice, an organization might choose to implement a behavioral monitoring approach. Of course, this approach will still involve basic hygiene measures—such as installing updates and encrypting data at rest and on the wire. But this should be combined with monitoring and detection of anomalous behavior that may show that an adversary has gained access to the network. This monitoring may be conducted at the level of an individual network, but will be most successful when at least some infrastructure is outsourced to organizations that can invest more in both expertise and tools to do the needed anomaly detection. Additionally, these third-party organizations analyze much larger sets of data, have visibility into a wider variety of attacks, and can employ specialized experts in big data and machine learning, significantly increasing the effectiveness of behavioral monitoring in their environment. Thus, once again, network-connected systems can benefit from sharing and connectedness—rather than going it alone.