In cybersecurity circles, there\u2019s a common axiom that states, \u201cThere are two types of companies: those that have been breached and those that don\u2019t know they have been breached.\u201d If the phrase sounds of doom and gloom, it\u2019s meant to be because the harsh reality is that almost every company will suffer a cybersecurity breach.\u00a0Businesses can spend and spend on the latest and greatest security technology and still get breached for a number of reasons, including user-related issues. The challenge for businesses is to find the breach as soon as possible and return to normal operations as quickly as possible.To understand the current risks and how to recover from them, I interviewed Keith Bromley, Ixia\u2019s senior solutions marketing manager and brainchild behind the concept of something called \u201csecurity resilience,\u201d which is an architectural model of recovering from a breach.--------------------------------------------Welcome, Keith. Can you please describe the current state of security as you and Ixia see it.Keith: It\u2019s becoming evident that traditional security defense models are failing. It\u2019s not a question of if your network will be breached, but when. News broadcasts for the last several years have shown that most enterprise networks will be hacked at some point. In addition, the time it takes for most IT departments to notice the intrusion usually takes months. According to the Ponemon Institute, the average time for breach detection is 191 days, i.e. more than six months. This gives hackers plenty of time to find what they want and exfiltrate whatever information they want.I have a few interesting data points I would like to cite.A study by Ponemon in February of 2018 found that 80 percent of cybersecurity and IT experts anticipate a catastrophic data breach at their companies by 2021.The same study found that in 2017, the cost of a cyber breach increased 22.7 percent over 2016.According to the Global Cyber Risk Perception Study by Marsh and Microsoft from February 2018, only 30 percent of businesses have a cyber defense plan.Those are frightening statistics. What\u2019s your take away from them?Keith: One of the things we have noticed is that most breaches take place over the course of several days. These aren\u2019t just short-term incidents, but are often long-term actions. Based upon this information, a rapid response to security threats could help minimize the cost of a breach by stopping the ongoing infiltration in a shorter period of time. Unfortunately, this isn\u2019t the norm. So what if that six months could be reduced to one month? Or maybe reduce it further to one week, or how about just one day? What if you could go further? That should be of interest to every organization.If that is of interest, what can security professionals do?Keith:\u00a0First off, there are three common security approaches that people use: Best Effort, Regulatory Compliance, and Defensive Security.\u00a0Best effort is a familiar scenario for most IT shops. Either the security engineer, executive or another leader has said, \u201cWe need to install some level of security.\u201d This typically involves implementing firewalls, basic security components, and maybe some basic auditing and monitoring.The next rung up the ladder is regulatory compliance. This is often an executive-level initiative. The thought is that business needs compel the company to be compliant to PCI, HIPAA, or some other standard. One might think this would make the security architecture more robust. Unfortunately, while compliance may be necessary for auditing purposes, it does not guarantee security.The third level is essentially the defensive approach \u2014 \u201cI\u2019m going to make this network so secure that no one is going to break into it.\u201d This is when all those inline and out-of-band devices are deployed. You can even create defense-in-depth strategies for prevention. For instance, if someone gets through Port 80 on the firewall, the next step is to challenge the data with DPI (deep packet inspection). There are other things you can do as well, like implement prevention, detection, and response processes.Unfortunately, these architectures all have at least one thing in common: They don\u2019t work. Someone always gets through the defenses. A better strategy is needed.\u00a0 At Ixia, we\u2019re calling this network security resilience.Can you define what you mean by resilient security and how it works?Keith:\u00a0Resilience is defined as the ability of an entity to return to its original form after being bent, stretched, or compressed. From a security perspective, we are specifically talking about the ability of an IT network to recover to normal, steady state operations after a security attack and breach have occurred. IDGIt\u2019s not an altogether new concept, but at the same time, it doesn\u2019t get as much attention as the defensive approach. However, from the perspective of a breach, security resilience is one of the most important activities one will ever perform because the \u201ctime to observance\u201d and \u201ctime to remediation\u201d can be reduced. In short, you get attacked, defenses get breached, the network is compromised, the threat is discovered, the damage is fixed, and then the network is secure again.While prevention should always be a key security architecture goal, a resilient architecture goal focuses on recognizing the breach, investigating the breach, and then remediating the damage as quickly as possible.How does the resilient approach differ from the other ones? Can you give specifics?Keith: A resilient approach enables organizations to do a number of things, such as strengthen their capabilities to better defend against attacks, maximize their ability to rebound from attacks, and minimize the severity and cost of security breaches. IxiaNetwork security resilience then is the set of activities that can be conducted to help the network after the breach happens. So to be clear, the best effort, compliance, and defensive strategies we talked about earlier are all focused on preventing a breach. This security resilience strategy is about \u201cafter breach\u201d activities.If businesses want to embrace network security resilience, what are some initiatives or technologies they can deploy to move them in that direction?Keith:\u00a0Each one of the activities could be an interview in itself, but I\u2019ll try to summarize.Deploy threat intelligence gateways to prevent the exfiltration of data to known bad IP addresses.Use application intelligence to help find indicators of compromise (IOC).Decrypt TLS (and SSL)-based monitoring data with a network packet broker (NPB) to distribute data to forensic tools for faster analysis.Implement adaptive monitoring using the automation capabilities of an NPB to respond to SIEM instructions in near-real time to pass suspect monitoring data to data loss prevention (DLP) tools for analysis.Install a security attack replay capability to capture security data and view it in the lab to acquire a tactical analysis of how the breach took place.Conduct cyber range training so security engineers can recognize threats faster and practice responding to them properly.Use threat simulation capabilities in your security lab to understand better how a particular threat behaves so you can understand what it touches.Capture and filter monitoring data, and then send that data to a purpose-built device to look at traffic patterns and IOC.Thanks, Keith, that was great. Any last words?Keith: I understand the need to focus on preventative measures, but every company needs to be prepared for a security breach. The bad guys are moving too fast and have advanced machine learning-based tools. It\u2019s impossible to defend against every type of attack. Playing defense is certainly important, but more emphasis needs to be placed on recovering after a breach.