Active Defense: Time for a New Security Strategy

Feb 25, 2013 | Dmitri Alperovitch, Co-Founder & CTO

We are soon coming up on three decades since the beginnings of the commercial security industry in the mid 1980s, and it’s a good time to take stock of where we are and how far we’ve come. It is indisputable that the capabilities of security technologies and corporate implementation of security policies are light years ahead of where they were even a decade ago. Yet, the actual state of security of most companies is worse than ever. This is evident by the constant stream of headlines with the latest disclosures of intrusions into some of the biggest and smallest companies alike. The question we must ask ourselves is whether we should continue trying the same old tactics over and over again expecting a different result, or whether the time has come to fundamentally change our security strategy.

A recent development that our industry is only now beginning to grasp is the rise of the targeted and determined attackers who are willing to go to almost any level of expense, time, and effort to penetrate a victim’s network. What we’ve witnessed over the last few years is that against these types of adversaries, the traditional passive defense security model that focuses on castle-building and development of better detection systems is failing. The only option this strategy offers organizations is continuously escalating spending on additional passive defensive measures that do nothing more than slightly delay the inevitable compromise by a targeted attacker. Meanwhile, the adversaries are able to overcome these passive countermeasures at a fraction of the cost.

The reality is that existing security solutions merely focus on improving detection rates and attempting to swat away adversary intrusions, instead of fundamentally raising the cost and risk to the attackers. Basic probability theory tells us that even if these solutions are able to achieve an effectiveness rate of 99%, all that means is that a persistent attacker has to attempt to compromise the network just 250 times before he has an over 90% chance of success1.

In its July 2011 strategy, the US Department of Defense, after suffering numerous severe breaches from foreign intelligence services, proclaimed that it is changing its strategy to “employ an active cyber defense capability to prevent intrusions onto DoD networks and systems.” It is time for the private sector to adopt the same strategy, which focuses on raising costs and risks to adversaries in an attempt to deter their activities, and thus put an end to the never-ending passive fielding of intrusion attempts.

Active Defense is NOT about “hack-back”, retaliation, or vigilantism. At CrowdStrike, we are fundamentally against these tactics and believe they can be counterproductive, as well as potentially illegal. Instead, an effective Active Defense strategy needs to focus on all 4 of the following key elements:

  1. Real-time detection of adversary intrusion attempts into our systems and networks that focuses on identifying their unique tradecraft and essential mission objectives, as opposed to easily changeable indicators of compromise
  2. Attribution of threat actors in order to understand their identities, intent, and mission objectives - both of the intruders themselves, as well as of those who may be tasking them to steal or receive stolen intellectual property
  3. Flexibility of response actions that include traditional passive defense options such as prevention and alerting, but also deception, containment, tying up adversary resources, and creating doubt and confusion while denying them the benefits of their operations. This furthers the goal of increasing attacker's costs and empowers defenders to collect additional intelligence on the adversaries and their tradecraft, while simultaneously preventing damage to their networks
  4. Intelligence dissemination to facilitate corrective and deterrent action. This can include real-time information sharing designed to deny the adversary the use of their tradecraft, not just specific tools, against a wide range of victims. This also enables joint action with other industry partners and government agencies to employ civil litigation, trade sanctions, and criminal prosecution tools against the threat actors

We agree with the US government that the time for passive countermeasures has long passed and it is necessary to engage in a new Active Defense strategy, aimed squarely at the determined adversaries that we currently face.

That’s why today we’re announcing the launch of CrowdStrike Falcon, a Big Data Active Defense platform that is the technology implementation of an Active Defense strategy. It is in private beta, and will be available soon to enterprises and government agencies to enable them to effectively deal with the targeted attack problem.

For the past 15 months, our incredible team of world-class architects and engineers, who have joined CrowdStrike from companies as varied as Apple, Amazon, Google, VMware, Microsoft, and Blizzard, to name just a few, have been hard at work designing and building this radically new security model. We are very proud to continue pioneering our work with some of the the most sophisticated and frequently targeted enterprises and government agencies on the planet who are road testing our technology in private beta.

Stay tuned to this blog and our website as we unveil more details about the groundbreaking CrowdStrike Falcon platform in the coming weeks or request a tech briefing and inquire about private beta participation now.

While the aspirations of our adversaries to plunder our intellectual property and even damage our critical infrastructure are unlikely to change, it is past time that we alter the economics of this battle. We all have a responsibility to deny them the weeks, months, and years of near unfettered access they currently enjoy in many of our networks. We believe the way to do this is to intimately understand the people and groups responsible for these activities and their tradecraft so that we can raise their costs and risks, make them less effective, and ultimately deter them from accomplishing their objectives.

 


1Aside Probability 101 refresher: 1 - 0.99250 = 91.9% chance of success (assumes detection events are independent for the sake of simplicity, a more accurate model is more complex)