[BreachExchange] Perimeter solutions: Do layers of security make a difference?

Destry Winant destry at riskbasedsecurity.com
Mon Apr 8 04:10:45 EDT 2019


https://www.helpnetsecurity.com/2019/04/08/perimeter-solutions-layers-of-security/

As an enterprise, it is always important to constantly reevaluate
information security solutions. When doing so, take a good look at the
perimeter solutions in place and their associated detection
mechanisms. What’s interesting is that many vendors that offer
detection offerings use more than one solution as their engines. Some
of these detection mechanisms are developed in-house, others combine
with external solutions and some collaborate with other vendors to
provide a solution with improved security.

Many enterprises follow the collaboration bread crumbs and there is a
tendency to think that the more vendors involved in contributing
technology to a security solution, the better and more robust that
solution will be.

At first glance, it does seem that there would be an advantage to
working with a security solution that was taking advantage of several
different vendors’ tech. But is there really an advantage to
onboarding a security strategy that is representative of several
detection engines in one solution? The enterprise now has several
engines with differing levels of expertise in how they respond to
threats and potential intrusions, all integrated into one complete
solution.

Complexity rises with the number of vendors contributing to one solution

Issues can arise in this circumstance. For instance, end-users should
receive an decisive call on detection notification having information
either “passed” or “blocked”. When employing a solution that has more
than one engine integrated into it, a vendor will receive a set of
indicators from different engines and then combine them into a single
verdict of passed or blocked, for which the vendor builds logic
specifically for the solution. That could be a proprietary algorithm,
a machine learning algorithm, or a rule-based decisioning engine. This
is a complex task, especially when a vendor only has superficial
knowledge about the solutions with which they integrate.

What we see happening here, is moving the problem, outside of the
engines, and instead processing a set of indicators that might or
might not indicate malicious behavior. One scenario is – what would
the IT team do if “engine A” provided a set of indicators that said to
it that a malicious act was occuring, but “engine B” usually assesses
as benign?

And finally, employing an additional detection engine does not
increase the detection rate. In fact, the possibility of worsening the
detection rate increases when a vendor does not have its own engine.
There is a gap in understanding and determining the true meaning of
the indicators and the ultimate confusion that can arise in assessing
too many sources of sometimes conflicting information.

The cost factor

Budget is always a concern in any company. In this instance, having
all of the enterprise’s security solutions all of the time can be
expensive. Additionally, in some instances, the license does not
permit the use of the engine in alternative way. Instead, financial or
license restrictions must be inserted into the decision mechanism to
determine which solutions to use for each sample. The easiest way to
do it is to characterize the sample using static-analysis methods. For
example, if a file contains a macro, it will act differently than a
file that does not contain one. For advanced attacks, static evasion
techniques can be used. In conclusion, this level of decision
algorithm is complex and usually results in many false-negatives.

Updates can be delayed

Updating a solution that contains integrated detection engines in one
solution, can be complex. Due to their reactive nature, each detection
mechanism, is continually evolving and creating more indicators.

Using a stand-alone deployment, the user may receive the updates in a
timely fashion, but having numeruos engines inside your product
increases the urgency to know which new indicators were added, and how
they impact the character and responsiveness of the overall decision
algorithm. This period is followed by a period of time to develop,
integrate and test, the risk of breach is even increasing, especially
if an enterprise waits for the updates for too long a period of time.

So what’s the solution?

These issues – complexity, cost, and delayed updates – are the central
issues as to why we see malware and bad actors be able to bypass all
of the integrated detection solutions available today. It is easier
than ever to deploy new solutions, so there is no reason not to choose
the best solution for your security needs.


More information about the BreachExchange mailing list