Why better security prevention that doesn’t rely on detection is possible

How important is preventing security breaches?

Regardless of your answer, most organizations spend the bulk of their budgets on prevention. And even as we allocate more to detection and response, prevention remains a focus. Curious, then, that a lot of our preventative controls actually rely on detection of bad actions and malicious code.

What happens when new techniques evade signatures and bypass sandboxes?

Perhaps the answer lies in rethinking our approach to prevention. An approach that doesn’t rely on detection.

That’s what Dotan Bar Noy (LinkedIn), CEO and Co-Founder of ReSec suggested during a recent conversation. Dotan (Lt. Commander Israel Navy. RET) has more than 10 years of management experience in technology and software companies. Prior to founding ReSec, he served as Director at Issta (listed ISTA.P), CEO of G.F.A. Systems, and CEO of “STUDENTS.” Dotan holds a BA in Economics & Management from the Israel Institute of Technology (Technion) and an MA in Law from Bar-Ilan University.

When we talked, he captured my interest by explaining what seemed like a blend of whitelisting, application proxy, and intrusion prevention technology — with the added twist of deconstructing and rebuilding files at line speed. Admittedly, I’m using experience with older approaches to try to categorize Dotan’s vision.

It got me thinking.

Hopefully it does the same for you, too. Here are the five questions and answers that came from our discussion.

What sparked the start of ReSec and your unique approach to prevention?

We came from a world of physical gateways where you’d put a CD or USB drive on one side, it went through multiple Anti-Virus scan engines, and was delivered to the other side. Multi-scan, by definition, will have a higher chance of detection than a single AV tool. But a “standalone” USB station is irrelevant to today’s enterprise needs and multi-scan AV is irrelevant in dealing with today’s threats.  

The question became, can we do that in the digital, network realm but better by ensuring a definite clean result for the content that passes through?

It led us to a very different approach than the rest of the market, which is focused on detecting the threat. Their challenge is that they need to see the threat to understand it, and only then to try and stop it. But the idea behind ReSec hinges on a single change in perspective: we assume that anything can be an attack. From there, it becomes possible to prevent attacks without needing to know and understand them.

How do you approach building the concept of a physical gateway into an enterprise solution?

Early on, we realized that the location for this technology needed to be on the perimeter of the enterprise along with the gateways and all of the other changing technologies. It also had to “reach in” and include endpoints like CDs, USB drives, and anything else that doesn’t necessarily go through a defined perimeter gateway. But it really had to do all of this without affecting the user experience or hindering their productivity. In fact, it had to enable the user to come closer to the way they work at home without putting the enterprise at risk.

The other shift in mindset that guided us was that hackers need a foothold within the enterprise, and they need a file to download to the user’s endpoint. File types provided the best path to prevention. You look at programs like Microsoft Office or standards like PDF and you have a finite number of elements to learn, assess what to keep and discard, and identify where the vulnerabilities might be.

By pairing this with a rules-based approach that can be modified for each customer and user group in accordance to enterprise active directory, we were able to create a user experience that doesn’t have the false positives and bottlenecks of other approaches, while giving the enterprise security team the peace of mind that they are secure.

What does it mean to prevent an attack without first detecting it? How does that work in terms of reconstructing files?

We didn’t like the focus of traditional solutions that can only protect against what they see from comparing to a signature or triggering behaviors. Detection is not a pre-requisite for prevention…if you can execute the steps of prevention efficiently and effectively.

Our Content Disarm & Reconstruction (CDR) technology focuses on file types in order to deconstruct and rebuild each one into a fully functional but safe copy based on the rules. For us, that required clearing two big hurdles:

• the files that we created had to be fully functional, and

• it had to be highly scalable and work at line speeds in an enterprise.

Instead of looking at time expectations that people have of sandboxes, we measured ourselves against anti-virus scan speed to ensure real-time file delivery. And in respect to stopping threats – this is a “military grade” solution tailored to fit an enterprise’s day-to-day needs.    

How does this approach work in our changing threat landscapes? How does it help with ransomware?

Today’s cyber criminals are running a business. They have developed personalized malware and dynamic variants that can slip past traditional systems, and get a foothold inside of an enterprise by using common files like Microsoft Office and PDF and adding a malicious payload that could contain ransomware or any number of threats.

Our CDR technology doesn’t really care what the particular payload is…it reconstructs files without the elements of the file that are not relevant to it being a functional file for the end user or in accordance to his permitted set of rules created by the enterprise. It can also work on links in messages to address other vectors and methods of attack.

We’ve tried to build a solution that is agnostic to the threat so that it removes all of the issues IT departments have to deal with to stay current. For example, one of our clients was already targeted in a Locky attack while it was still an emerging threat. A CISO needs to analyze the current threats and what will be in a year from now and compare to where his enterprise is most vulnerable – email? FTP? Vaults? End user introducing USBs? Web browsing? One or more of those? And focus on the one to start with. We had a customer that, after the Target attack, implemented ReSec in his FTP and a few months ago, correctly anticipated the ransomware wave and deployed the solution to his emails as well. It is this kind of careful ever-updating analysis of the cost of doing security vs. the risk and cost of a breach that needs to lead decision making.

What steps can a security leader take today to embrace the mindset and approach of preventing without the need to detect?

The industry has gotten used to rewarding security solutions for detection. How many alerts is my system generating today? It’s also an industry that can’t seem to shake old technologies, even if they are proven to be largely cosmetic.

We’re not saying that you should throw out AV, but you need to think differently about it and understand what it is – and what it isn’t. Consider the approach of blocking macros and restricting file types in accordance to user groups. Then think of how many people in your organization are potential targets of an organized and motivated group of people who are studying behavioral economics and psychology, all with the goal of creating innovative ways to get someone to click the wrong button or open the wrong file.

At the end of the day, choosing detection as the path to prevention is a choice to match efforts and investment with the enemy. They get to make the first move, and they’ll eventually win, and for some reason, the industry has become OK with that. Just ask yourself, what happens if an employee gets an email and opens the wrong file? And think about what happens next? That should be enough to get people to reconsider their approach.