In 2003, security industry analyst Richard Stiennon famously declared that intrusion detection systems would be obsolete by 2005, writing at the time:
“The underlying problem with IDS is that enterprises are investing in technology to detect intrusions on a network. This implies they are doing something wrong and letting those attacks in.”
To some extent, Stiennon was right, intrusion detection systems have become obsolete, yet his comment still remain relevant today. The NIST Cybersecurity Framework, published in October 2013, organizes five basic cybersecurity functions: identify, protect, detect, respond and recover. Three-fifths of this framework (detect, respond and recover) assume compromise will occur.
For the past ten years, threat detection has been a Band-Aid on a bullet wound. The good news is that the industry is finally starting to come around to this realization. Symantec has acknowledged that anti-virus is dead, detecting just 45 percent of cyber-attacks. The Target data breach serves as a cautionary tale since its threat detection systems alerted response teams that failed to prevent the breach.
What is the problem? Why is it so hard to make threat detection solutions work effectively? It turns out, there are a few reasons:
- Performance vs. security – Threat detection systems rely on signatures to catch cyber-attacks, but the more signatures an organization has enabled, the more performance takes a hit. Organizations face a dilemma, balancing performance and security, which typically results in partial coverage as some signatures are disabled to maintain performance.
- Management is time-consuming – The process of tuning signatures for threat detection solutions is labor-intensive and ongoing because new signatures are released all the time. If organizations don’t take the time to tune signatures, they generate more false positives, which creates a signal-to-noise ratio that results in real threats being overlooked.
- Management is error-prone – Once signatures create too much of a performance impact or the volume of false positives becomes too great, organizations tend to deploy threat detection systems in “alert only” mode. The issue with “alert only” threat detection is that it requires security response team to remain diligent, which the Target breach has demonstrated is virtually impossible.
Ten years later, Richard Stiennon is right, threat detection is obsolete, which is exactly why organizations are doing something wrong. Instead of focusing on detecting the attacks that get through, organizations need to focus on protection.