In Today’s Threat Landscape, Choose an Ounce of Prevention rather Than a Pound of Detection

By Joe Saunders, runsafe Security CEO

Cybercrime is on the rise and becoming one of the biggest threats to business operations and continuity. While many cybersecurity companies continue to focus on detection, increasingly sophisticated criminals are finding new ways to sidestep these solutions. As such, it is now more important than ever to move beyond simple detection- based security to a more proactive strategy that stops attacks before they happen. In these perilous times, an ounce of prevention can carry far more weight than a pound of detection.

Traditional security mainly detects symptoms

Last year, Cybersecurity Ventures predicted that cybercrime will cost the world up to $6 trillion per year by 2021, roughly double the global costs of 2015. The firm said cybercrime will soon grow to become the greatest transfer for wealth in history, and eventually become more profitable than the entire illegal drug trade. But not only are attacks becoming more frequent, but they’re also becoming more sophisticated. Hackers are hitting organizations of all sizes with ransomware, DDoS attacks, phishing and Zero Day exploits on a regular basis. Even the FBI is having trouble keeping pace.

Despite the growing threats, traditional security measures continue to focus on detecting symptoms of attacks. They use the external network and perimeter technologies such as gateways, firewalls,  intrusion prevention, and antivirus agents.. In addition, internal approaches such as static and dynamic analysis are used to try to detect vulnerabilities in code.

The problem with such traditional security is that it focuses more on detecting symptoms rather than on addressing the underlying cause(s). While established tools have worked for decades on known attack types, their effectiveness is diminishing as hackers with time and financial resources become increasingly skilled in designing attacks to avoid detection.

For example, buffer overflows are one of the most common memory corruption vulnerabilities in software. In these hacks, attackers insert data with code designed to trigger specific actions that could damage files, change data or expose confidential information. These attacks sidestep traditional external detection and are frequently

Missed by code analysis that has to cover the end-to-end software binaries, from the apps to the OS, hypervisor, operating system, and firmware.

Putting a focus on prevention

The detection will always be a critical component of cybersecurity,  as identifying and remediating threats before they spread can alleviate some risk and damages incurred by a cyber attack.

But detection alone will no longer suffice in this increasingly perilous environment. Detection tools offer no protection in cases where the supply chain itself is compromised, in the case of fileless attacks like memory corruption such as buffer overflow, stack and heap attacks, Return Oriented Programming (ROP) chain attacks or zero-day attacks.

Host-based detection agents may also create performance issues that can require retooling and retesting to implement. Further, detection monitoring and alerting also require time, investment and expertise. Finally, re-engineering code adds a requirement for a level of resources, as well as compliance challenges and risk that most companies are unable or unwilling to meet – especially in instances when the software stack might be hundreds of thousands or millions of lines.

Finding vulnerabilities and closing the gap can reduce risk and stop attacks in a far better fashion than simply identifying symptoms.  One such strategy is Runtime Application Self Protection (RASP) which offers built-in security in the app and app environment itself to prevent real-time attacks from succeeding and from scaling across identical target systems.

There are several RASP techniques, including randomization (also known as binary stirring) which protects an app binary by rendering each version functionally identical but logically unique. Another technique is Control-Flow Integrity (CFI) that puts curbs around jumps and returns to preserve the order of execution and functionality.

Stopping attacks from being executed

It’s worth noting that 80 percent of cybersecurity leaders who participated in the

 ISACA’s 2017 State of Cyber Security Study believed they’re likely to experience a cyber attack during the year. In today’s environment, companies must operate with the assumption that they will be attacked at some point, and as such, do more to stop attacks rather than just identifying them.

While the majority of security solutions focus on preventing breaches with firewalls, antivirus software, and intrusion prevention, those in charge of security must continue to assume that an attacker will eventually get in, and prepare accordingly. The key isn’t to detect malware, it’s to harden devices and systems to prevent attacks from being executed in the first place.

About the Author

Joe Saunders is the CEO of runsafe Security, a pioneer of cyber hardening technology for embedded systems and devices.