Q&A: The end of 'Detect and Protect' cybersecurity measures

(Image credit: Image source: Shutterstock/jijomathaidesigners)

1.            You’ve launched a call to action to the security industry to stop investing in ‘detect and protect’ solutions and prioritise transformation. What does this mean and why is this a passion of yours?

‘Detect and protect’ technologies, such as data loss prevention systems, anti-virus solutions, sandboxing etc. are not sophisticated enough to identify highly evasive zero-day attacks. These attacks are constantly evolving and becoming ever more sophisticated. As digitally pure data-on-demand becomes the new holy grail, organisations need to focus on finding ways to transform digital content so that it is completely threat-free rather than “best endeavours” threat-free. 

I became particularly passionate about the need to shift away from ‘detect and protect’ technologies after an 'interesting experience' a few years back. At that time, I was running one of the largest global cybersecurity practices for a major outsourcing business. I was invited to go and explain to our largest customer -- a prestigious USA Fortune 30 brand -- why they had suffered multiple cyber breaches over a 3-month period, despite us re-assuring them that they had the best detection capability that money could buy. After listening carefully to my explanation that our cybersecurity detection-based technologies offered no absolute guarantees around breaches, a particularly eloquent board member simply said, "Dan, this best endeavour approach to detection gives us, as a business, unquantifiable business risk -- that's unacceptable to our shareholders."

That statement haunted me, but it was a light-bulb moment when I realised that detection-based cyber defences don't, and never will, cut-it. The penny dropped for me that society needs to move beyond detection.

2.            What are the drawbacks to ‘detect and protect’ technologies?

There are several drawbacks to ‘detect and protect’ technologies. Most notably, the bad guys are better at attacking than organisations are at defending – and detect and protect’ technologies can’t keep up. The cyber threat landscape is constantly evolving, and cybercriminals are making a career out of finding new flaws and tactics for attack, so it’s becoming increasingly more difficult to predict their next target.

‘Detect and protect’ solutions also require significant overhead to monitor the data that is moving through the environment. According to research, the annual cost to maintain detect-to-protect endpoint security for a 2,000-person organisation is more than £12M. In addition to the ridiculous cost to maintain, the most intelligent solutions will either not detect the most sophisticated threats or be so reactive that it results in an unsustainable number of alerts and false positives –all distracting security professionals from dealing with the main issue of bad actors already bypassing the defence system. 

3.            How do transformation solutions better protect organisations from cyber threats in content, such as zero-day exploits and ransomware?

The only way that organisations can truly defend against content threats, such as zero-day exploits, is by preventing the attack code from even entering the organisation.

Currently detect and protect solutions operate at the network boundary. They attempt to identify malicious elements within content based on evidence of previously seen malware, and, if the content is deemed safe, allow it to enter. However, with detection solutions catching at best 95 per cent of cyberattacks, it means that at least 5 per cent are still making it onto the organisation’s network.

Content threat removal (CTR) uses a transformational approach to the problem. Digital content such as OfficeX documents, PDFs and images is intercepted at the boundary and is prevented from proceeding. This content is then transformed. During transformation, the business information is extracted from the content and the original file is discarded. After verifying its integrity this content is then used to create a completely new file that is allowed to cross the boundary. Transforming content in this way ensures that none of the original file structure or hidden data, code or malware is ever allowed to cross the boundary.

So, the user receives a completely new document, which is identical to the naked eye, in a fraction of a second – far quicker than it takes to scan or sandbox and with the certainty that the content is threat-free.

4.            Will we see cyber security companies abandoning existing detect and protect solutions in search of new transformation technologies?

There is still a role for detection solutions, but the industry can no longer present them as an end in themselves. Instead, collaboration between transformation and detection vendors will be critical to delivering a flawless, unfragmented cybersecurity defence.

In practice, for example, the collaboration between prevention and detection solutions will be key to mitigating the insider threat. The recent case of Chinese engineers exfiltrating confidential information regarding its turbines from General Electric shows the potential of transformation technology: had they used CTR, the information that they concealed in pictures of sunsets, using steganography, would have been stripped out at the border of the organisation and so they would have only received the sunset picture (without the concealed information) when they tried to access it outside the organisation’s network. The role of detection technologies in this story is that when we start frustrating criminals’ attempts to exfiltrate hidden information, they have to try and get it out of the organisation in plain sight. This is then much easier for a data loss prevention technology to identify.

Partnerships between prevention and detection cybersecurity vendors will be key. That’s why we’ve partnered with McAfee, securing content sent through their McAfee Web gateway. Working as part of a connected security ecosystem -- combining diverse expertise and solutions for stronger protection – we are making it impossible for hackers to break through. Indeed, the integration of these technologies shows what can be achieved when security experts join forces. 

5.            What do you believe are the barriers holding companies back from shifting away from ‘detect and protect’ technologies? (i.e. profits)

For too long, cybersecurity companies have relied on the status quo of ‘detect and protect’ technologies – becoming resigned to just improving the pass-rate of ‘detect and protect’ rather than eliminating threats entirely. Despite their inefficacy, one of the major barriers to shifting away from these kinds of technologies will be changing the long-established acceptance of the industry-standard “detect and protect” cybersecurity strategy, in favour of solutions that guarantee to defeat 100 per cent of content threats. To achieve this, a significant mindset shift amongst ‘detect and protect’ vendors, as well as a significant investment in R&D for novel solutions will be required.

6.            What changes does the industry need to make?

It’s time for organisations to challenge the “it’s when, not if” mantra when it comes to cyberthreats, which is leading the cyber security industry and businesses alike to lower their expectations for defending against cyberattacks.

Cyber security companies have resigned themselves to improving the pass-rate of “detect and protect” rather than eliminating threats entirely. To truly defend against cyberattacks, organisations need to do away with the industry-standard “detect and protect” cybersecurity strategy and leverage CTR solutions that guarantee to defeat 100 per cent of content threats, rather than the “best endeavours” approach that is typical across the cyber security industry.

Customers too have a part to play. They need to stand up and join in this call to action, demanding that the cyber security industry stop trying to shore up fallible detection-based solutions and design solutions that match the evolving capabilities of modern hackers.

Embracing defences that transform rather than detect is the best way to meet the need for digitally pure content and answer the charge made by the aforementioned board member, addressing once and for all the “unacceptable” and “unquantifiable business risk” of cyberattacks concealed in content.

Dan Turner, CEO, Deep Secure
Image source: Shutterstock/jijomathaidesigners