pixel_dreams - Fotolia

Detection vs. prevention: Ponemon report points to controversial trend

A Ponemon Institute report highlights the biggest risks to endpoint security, and what IT professionals plan to do to fight back, including one controversial tactic in malware protection.

The Ponemon Institute has surveyed hundreds of IT security practitioners to determine the most pressing risks to endpoint security, and in the process has uncovered what soon may be a controversial new trend in malware detection vs protection.

The Traverse City, Mich.-based research firm this week released its 2015 State of Endpoint Report to study the risks facing the myriad endpoint devices that inhabit the average enterprise network. As has been uncovered in other studies, the Ponemon research shows that IT security practitioners believe negligent or careless employees are the biggest threat to endpoint security.

Dealing with shadow IT

According to the Ponemon report, the rise of several key computing trends has contributed to insecure endpoints: IT practitioners surveyed said the use of cloud applications (73%), BYOD (68%) and employees who operate from home offices and offsite locations (63%) have significantly increased endpoint security risk.

Ponemon Institute Chairman and Founder Larry Ponemon said it may not be the employees' fault, but more of a reflection of how quickly times have changed.

Said Ponemon, "I don't think anyone 5 to 10 years ago predicted how quickly we would shift to cloud services and the shadow IT."

Three-quarters of respondents indicated that their mobile endpoints have been a target of malware in the past year, up from 68% in 2013. Other security experts are seeing the same trends.

"The increase of cloud usage and mobile devices present in the network is undoubtedly an endpoint security risk to organizations," said Luke Klink, security program strategy consultant for Indianapolis-based Rook Security. "The desire to be connected 24/7 through mobile devices and access data wherever (cloud storage) has driven the need for corporations to formally assess and create detailed strategies to protect company and client data."

According to Larry Ponemon, the pain caused by BYOD and shadow IT is leading to a shift in how IT is approaching the detection vs protection question, and the survey shows that IT is optimistic about handling the new challenges through increased use of threat intelligence, "detect and respond" policies, and big data. In the next 24 months, 30% of respondents said they will implement "detect and respond" procedures, and 41% said they will start using big data to enhance endpoint security.

'You can't build the perfect fortress'

The prevailing enterprise security strategy in the past has been to focus on prevention, relying on security technologies like antivirus and firewalls to keep malware out, but the survey highlights how more organizations are moving toward what Ponemon calls a "detect and respond" method, emphasizing rapid detection over prevention.

Larry Ponemon said that IT professionals are starting to realize that prevention is both costly and nearly impossible. Instead, organizations are investing in security intelligence and big data tools in order to rapidly detect, identify, and respond to malware.

The need to gather more malware intelligence to enable rapid detection and response has led to a new practice – using standard network endpoints essentially as honeypots -- that has proven controversial among security analysts.

"You loosen the chains on the firewall and make the endpoint device a sensor and the first line of defense," Ponemon said. "If you sandbox the infected endpoint, you can learn what is attacking you -- the attack vector and the purpose of the attack -- and be able to respond appropriately."

The idea is a departure from the established practice of using a traditional honeypot to attract malware. Ponemon claims that honeypots can be limited because they have artificial boundaries, while a researcher can learn more about an attack by allowing malware onto a real device.

However, Ponemon said this can be a big risk without the right safeguards, isolation techniques, and ability to respond to the data being collected. If done right, he describes it similar to a vaccine -- letting in some of the bad in order to make an enterprise's defenses stronger.

Jason Brvenik, principal engineer at San Jose, Calif.-based Cisco Systems Inc., understands this course of action, to a degree. He doesn't like the idea of intentionally allowing malware into an enterprise environment, but noted that organizations understand that infections are inevitable. The aim of any enterprise, Brvenik said, should be to gain better visibility into threats in order to reduce time between breach and recovery, and share that data throughout a network and beyond.

"It isn't so much a vaccine for the singular person, but a vaccine for the entire community," said Brvenik. "When one person gets sick, all members of that community and their neighboring communities are immediately vaccinated and the sick person and their doctors know everything there is to know about the progression of the illness and how to cure it themselves."

Josh Shaul, vice president of product management at Chicago-based security and compliance vendor Trustwave Inc., noted that the use of a honeypot is already difficult enough without a skilled team in place to manage it, and said that an isolated network is key to making the honeypot concept work. He believes that the use of traditional honeypots offers valuable threat intelligence data, while mitigating the risk associated with the use case Ponemon describes.

"I think this particular trend is interesting and potentially concerning, "said Shaul. "We wouldn’t advise our clients or anyone to follow a tactic that disables layers of defensive technology in a live production environment that contains sensitive systems. We’d encourage those who want to use this tactic for research purposes to do so on an isolated network. If those honeypots were running on the internal network alongside real, valuable data and exposed to attackers on the Internet, they become a data breach waiting to happen."

Next Steps

Always consider threat intelligence vs. risk when planning your cybersecurity.

Dig Deeper on Information security policies, procedures and guidelines