The ancients’ experience of modern computing was limited to say the least, but they gave us a nice framework, the Socratic Method , that moderns can use for dealing with the problem of cyber security. The Socratic Method is a process of question and response, designed to challenge and eliminate bad ideas, refine good ideas, and arrive at sound conclusions. If it worked for Socrates, maybe it will work for us. Here is dialogue that unfolds between Socrates and the Security Architect of, for the purposes of this exercise, the Bank of The Peloponnese.
SOCRATES: What is the problem?
SECURITY ARCHITECT: I need to decide which tool to buy to detect exploit-based attacks.
SOCRATES: Why do you have to detect them?
SECURITY ARCHITECT: Because they use evasive techniques to defeat all of our defenses.
SOCRATES: What do you do after you detect them?
SECURITY ARCHITECT: Strictly speaking, we don’t detect attacks. We detect what we think are attacks. Some are and some are not. Sometimes we miss things. We send alarms on everything we detect and then try to find out which are real and which are false. Then we take action and patch.
SOCRATES: You do this right away?
SECURITY ARCHITECT: Not really. It can take time to find an attack, if we ever find it, and hundreds of days to patch. So exposure can last for hundreds of days.
SOCRATES: Would it help if you did this on the endpoint?
SECURITY ARCHITECT: Less than you think. Most endpoint prevention products are really detection sensors installed on the endpoint. They have the same shortcomings as network detection sensors: they can be defeated and they produce false positives. Plus they add new shortcomings, because they are hard to deploy and affect the stability and performance of the environment.
SOCRATES: It sounds like this. You have resigned yourself to knowing your defenses will be penetrated no matter how hard you try. But instead of stopping attacks, you let them succeed and try to detect them afterwards. There are errors like false positives and false negatives along the way. Then it takes a long time to fix the vulnerability that was targeted in the first place. And other attacks can succeed during this time.
SECURITY ARCHITECT: What’s your point?
SOCRATES: Don’t be rude. I am a highly respected philosopher. My point is that you have defined the wrong problem. You don’t need to detect attacks. You need to stop them. Cyber security is no place for haruspicy.
SECURITY ARCHITECT: I see what you mean. Adding more and more detection, even if it’s next gen, and even if it’s on the endpoint, will only make things worse. New attacks use evasive techniques that defeat them too. What’s worse, relying on detection forces me to spend time and money to study logs, deal with false positives, and guess whether I’ve been compromised or not. While I do this, my enterprise is exposed to undetected attacks and unpatched vulnerabilities.
SECURITY ARCHITECT: So the answer has to be something that stops the attacks before they succeed, without making any mistakes. That will remove the anxiety of ignorance, not to mention the headaches and overhead of trying to find a true compromise in a haystack of log data. If you prevent the attack, there’s nothing to detect, so you eliminate the detection infrastructure, disruptions, and uncertainty. Not to mention false positives and unpatched vulnerabilities.
SOCRATES: Is there a product that does this?
SECURITY ARCHITECT: Now that you mention it, Morphisec uses the concept of Moving Target Defense to prevent attacks from succeeding in the first place. It morphs memory, so attacks don’t have a target to attack, and traps them on the spot, regardless of the evasive techniques they use. It terminates the kill chain deterministically, without rules or detection, before it starts. This eliminates the need for log analysis and the exposure to unpatched vulnerabilities.
SOCRATES: It sounds like your real problem is that exploit-based attacks will continue to defeat your defenses, no matter how many layers of detection and analysis you add. Plus you’ll spend yourself out of existence. But Morphisec stops these attacks and eliminates the headaches of false positives and unpatched vulnerabilities. High return, low TCO, as they say.
SECURITY ARCHITECT: That’s a good way to put it. Even though it’s an anachronism. TCO doesn’t get invented until the 20th century.
SOCRATES: OK smarty pants, I don’t see anyone naming a method of dialogue after you. Any other questions?
SECURITY ARCHITECT: Not really. You’ve helped me define my real problem and stop myself from perpetuating it. I need Moving Target Defense as a foundation that I can build other defenses on. A shaky foundation makes for a shaky house, nervous residents and high maintenance. A solid foundation makes for a solid house, happy residents and low maintenance.
SOCRATES: Residential construction isn’t really my thing, but I appreciate the metaphor. Good luck with Moving Target Defense. Don’t forget to pick up a clay tablet on your way out and rate this dialogue.