man holding computer that reads "can hacking be stopped?"

Cybersecurity’s Focus On Prevention Is A Vulnerability

Share:

Can hacking be stopped? As the conventional cybersecurity industry focuses on prevention, their profits reach into the billions and hacker profits exceed the illegal drug trade. CIO and CTO leaders are conditioned to accept they will be hacked, shelling out millions in remediation contracts. As the industry collectively face plants with prevention, however, our enterprise cybersecurity team has a 100% success rate focusing on detection.

Because you most assuredly believe we’re full of “you-know-what,” it’s unavoidable to break down why a hack can’t be stopped, and why a strategy focused on prevention alone will fail every time.

What is dwell time, and why does it matter?

The term “dwell time” is common in cybersecurity. For the uninitiated, it’s the time a hacker has actually been in your network before you find them. Last year the average dwell time was 99 days and one big reason this number is so high is due to cybersecurity’s focus on prevention, not detection.

Hackers dwell time is long because of their crafty ways of hiding their footprints once they have broken your defenses. They modify log files and hide the fact that they are inside your organization. Unlike Word files, log files don’t have a track changes feature.

As cybersecurity partners sell their vast array of security products, costs of intrusions still rise, approaching $13 million per incident. The hacking industry itself is a 6 trillion dollar business. They have all of the new products you have, they have their own test labs, and they know how to beat your firewall before you have it installed.

There’s a simple reason for this problem: The cybersecurity providers most enterprise companies work with today focus on prevention, not detection.

Why Conventional Cybersecurity Solutions Can’t Prevent Hacking

There are a few suggestions that your security partners will recommend making an iron-clad prevention program, but they’re severely flawed. It’s necessary to understand why these solutions fail, and why our detection strategies do not.

1. Can Firewalls Prevent Hackers?

Can hacking be stopped with a firewall? No.

No matter how state-of-the-art your prevention attempts are, a hacker only needs to get on a laptop, endpoint, or server, setup command prompts, and type IP config. IP config is your default gateway which is essentially the egress and IP address of your firewall. The hacker just needs a layer 3 switch, but ultimately they will get to your firewall. 

Once they have access to your network, they create an ARP request. An ARP request is not malicious code, it innocently crawls the network, asking every device to simply reply back with its status, receiving device names, IP address, what patching has been done and what patching has not been done. This is a fairly normal request, but for a hacker this routine handshake with other devices exposes weaknesses. Firewalls are useless in this scenario. But what happens in a scenario where a device isn’t compromised? 

There are over 3 MILLION known cyber threats potentially being used in the world today, and even the most sophisticated firewall can’t manage throughput and look for over 3 million threats in real-time. So, firewall vendors had to invent clever ways to manage threats. 

In the same way your flu shot only protects you against the top 3 or 4 strains in your area, firewall vendors look for a limited set of threats in a similar fashion. Your body can’t possibly be vaccinated against everything without killing you, and your network can’t defend against viruses without frying. Enter AI.

2. Can AI Prevent Hacking?

Can hacking be stopped with AI? No.

AI is incredible in the preventative space, but it’s still a step behind. Hackers still have the ability to get into your network and then modify the log files before they are detected. This is because AI still needs to learn. In the time it takes to learn, it’s defeated. You don’t want your security to be predicated on something that takes time to learn something. You need to learn about never seen before threats. 

Let’s say the not-so-friendly global community of hackers came out with 100 new threats today. Your AI/Machine learning or security needs an unspecified amount of time to learn and understand the threat, and by the time it learns, there are 40 more, maybe 50, perhaps tomorrow there are 200 new threats. AI-driven security still needs time you don’t have—every day the gap increases. In my X-year cybersecurity career, I have yet to hear of an AI solution that tells you what it’s learned today. This problem is why many companies turn to intelligence. 

3. Can Intelligence Prevent Hacking?

Can hacking be stopped with intelligence? No.

Most security companies that sell threat feeds have a large global team or network of Cybersecurity sleuths. They share their latest threats discovered, all over the web. At Verizon, I was part of a weekly threat team that discussed and shared new threats we found every week, publishing a weekly Intelligence summary for our customers who paid for this service. There’s one flaw with this process as well. Hackers got our updates.

Threat actors not only have test labs but also find clever ways to subscribe to these update services posing as legitimate businesses. The second a cybersecurity intelligence company publishes an Intelligence update, hackers know their timeline is up and move on, meaning the threat every enterprise customer is now protected against likely won’t even be used against them. 

It’s like a Police officer watching the Waze app. As soon as he sees he’s been marked on the map, he moves and you still get a speeding ticket. Cybersecurity efforts are just as effective. When you peel back the layers, these state-of-the-art solutions and massive security teams we all trust are more show than security.

4. Can SIEM and Log File Review Prevent Hackers?

Can hacking be stopped with SIEM and more frequent log file review? No! (is there an echo in here?)

It’s for the reasons above, if you use a SIEM solution, or you review log files as part of your security protocol, while it’s a good start, if that’s the sum total of your efforts, you will be breached at some point in time because you can’t validate that that file has been modified. You can’t trust it. 

SIEM solutions are limited because the system can only find what is programmed to look for. This is why any conversation with a CIO or CTO about their SIEM solution typically centers around a tidal wave of false positives. If you don’t currently utilize a SIEM solution for your organization, the moment you do will result in doubling your alert flow. And what happens when you take the time to explore most alerts?

Almost every time, the alerts are a false positive. You may believe a SIEM solution is security, but it’s more like a digital tattle-tale. Adding insult to injury, purchases of SIEM system never factor in the cost to properly care and feed the solution.  Even if you pay an analyst a large salary to start reviewing log files, he will always be a day behind, and he’s not a real-time 24/7 solution, which is what you need in your network.

Even a PEN test and vulnerability assessment provides zero security, because it’s only a snapshot in time, and is still looking for “known” threats. Besides, bad actors will wait until after the PEN test or assessment is done to kick things off.

If you do what the conventional cybersecurity industry says, use the best firewall, purchase all of the filtering products, have a SIEM solution, employ an AV solution, perform frequent PEN tests, and execute routine assessments, you’re told you will be safe, but our research matches the reality CIOs and CTOs face every day— they can’t prevent a data breach and they know it.

Organizations that believe in the conventional security model are sitting ducks waiting to be hacked, with their remediation team on speed dial. Is it any wonder traditional security companies make their biggest profit AFTER you get breached?

Can hacking be stopped?

The short answer is yes. Damage from hacking can be stopped when companies utilize detection methods into their cybersecurity plan, not just prevention methods. The only successful detection technology on the market today we utilize with our clients is CyberDNA.

Cybersecurity experts will agree there is no silver bullet, but it’s because they are thinking only of solutions in the 4 traditional (leaky) buckets of prevention, not detection. Detection works where prevention fails. CyberDNA isn’t just a disruptive approach, but will tilt the balance of power to the good guys for several reasons:

What Is CyberDNA and how does it work?

  1. It prevents all (over 3+ Million) known threats, plus over 50,000 unknown threats not yet identified by the industry.
  2. It’s not on the open market, meaning hackers can’t buy it. The tech also runs invisibly, placing taps with no IP address on your network, meaning hackers can’t see it.
  3. The Entire Hunt team leading the effort has secret clearance, most of which with the highest level of security clearance. (TSI SCI) 
  4. It has a zero false-positive guarantee, and unlimited IR (Incident Retainer) response at no additional charge. (Yes, Unlimited IR is included.) Gone are the days of cybersecurity companies actually making more money from their own failure. 
  5. Protecting over a Billion endpoints for over 13 years, customers who use this tech have never experienced a compromised network.

This is possible because CyberDNA works to identify the hacker in only a few minutes of dwell time before they are discovered and removed. Not the standard days, weeks or months the industry accepts. The tech doesn’t care if a log file has or has not been modified, because it has complete visibility of the network in real-time. The move to detection also has another unexpected bonus for organizations.

The solution ensures entities are always compliant, (PCI, PII, HIPPA, etc…) as this technology essentially “records” your network like a massive DVR. Once an intrusion is detected, any changes can simply be “rewound.” They only send out Metadata as all your data stays on-prem. 

If you’re an intelligent CIO, CTO or director, you’ll call BS immediately. And you absolutely should. As a tech researcher, I didn’t think this was real. However, after deploying the detection approach and CyberDNA to some of our customers, doing our best to “Poke Holes” in this technology, we have become champions of this approach. 

Kris Taylor of 3 Tree Tech

Kristopher Taylor is VP of Cyber Security at 3 Tree Tech in Portland. He is a platform-agnostic tech researcher that transitions siloed organizations into automated DevOps centric businesses. To get his help, message him right here.

Want to poke some holes?

We are presently setting up no-cost rolling PEN tests for new enterprise cybersecurity clients interested in this approach. Over a duration of time, the test will show vulnerabilities and remediation steps. The test is led by a senior Hunt team member who will meet your IT team personally, providing detailed reports. Because we are tech researchers, 3 Tree Tech won’t charge you a dime for this work, we only get paid if you integrate a solution.