Thursday, February 19, 2015

The Security Triad: Protection, Detection, and Response

It's been a while since I've posted anything at all. I could cite a variety of excuses but the truth is that I've been cutting my teeth in the industry and adapting from my previous life to my new one. I've finally found the time and desire to continue writing, so without further ado...

A lot of folks and InfoSec would say that Confidentiality, Integrity, and Availability are the three concepts that make up the Security Triad. Well, I agree to some point.. but we're not just talking about InfoSec or the security of knowledge (which is where InfoSec was born), we're talking about security in general. 

To that point, security of any variety, from financial and physical security to information security, has three components: Protection, Detection, and Response.  Each industry places more emphasis on a given phase than others and we often see radical changes in the deployment methods and regulation following large and critical incidents. 


http://www.e-cq.net/images/protect-detect-respond.jpg
(not sure who these guys are but the image looked nice)

Protection

Protection is the concept of preventing loss. When examining a familiar example such as a bank robbery, the protection mechanisms may include obstructive barriers, visible guards, and laws that act as deterrents.

In infosec, Protection is the phase where things such as firewalls, intrusion prevention systems, and user awareness come in to play. The idea is that protection mechanism breaks the chain of attack before the destruction of equipment or exfiltration of data occurs. A majority of organizations deploy these technologies at the border of their network.

Detection

Detection is the capability to identify loss or the potential for loss; ideally this happens very quickly. Once a possible loss event Is detected, an alert of some sort is sent to personnel capable of responding.  

Keeping with the bank example, the detection mechanism may be visual identification of bank robbers,  an alarm system that is active after-hours, or maybe an alarm on the vault door that signals any time it is opened. In any of these cases, two events take place: The triggering event and the notification event.

Alarm companies have done a great job automating many notification events after trigger events such as a door alarm or glass-break alarm.  However, visual identification requires a manual notification action by a human, normally a phone call or a panic alarm. These are the areas where it is important to reduce friction, such as allowing citizens to send text messages so that they don't put themselves In danger by creating verbal noise.

InfoSec also relies heavily on a both automated and manual detection. Sometimes malware triggers AV but the fact that a malicious actor is logged in via a screen sharing session goes undetected. Because of this, robust detection mechanisms need to be built to reduce the need for human identification or at least end user identification.

These robust detection mechanisms should identify anomalies or signatures within a network environment based on experience an input provided by InfoSec staff.  This normally comes in the form of intrusion detection systems, antivirus, application white listing and variety of other technologies and trainings. As on can imagine, quite a bit of synergy exists between Protection and Detection, as many commodity threats are prevented because they are detected by one of these automated mechanisms.

Response

Response is the last and arguably the most critical component of the security triad. Response is about the actions taken after an incident is detected but and after prevention failed. If the bank robbers are inside the bank and stealing money, the prevention strategies obviously failed.  Hopefully one of the victims had the ability to notifiy law enforcement after the event was detected, and now the proper response is to send the SWAT team and negotiators… folks that are specially trained for responding to a variety of challenging events. 

The processes aren't much different in InfoSec. The difference is that InfoSec is a relatively new field and there aren't any clear procedures on detection or response like there are with bank robberies. Many cyber-attacks defeat both the automated prevention and detection technologies and rely on 3rd party human detection. As a result of the lacking procedures, the response is all too often trivialized and handled by folks that are not properly trained or experienced. Incident response in any field is not something that can be done as a hobby or part time. It's a full time job with very strenuous training requirements.

The reason that response is the most critical component is simple; banks are going to get robbed and networks are going to get hacked. Trivializing the response leads to risk: business, reputational, and financial.