​Detect and respond security too little too late: Palo Alto Networks

Palo Alto Networks believes that the best method for protecting a business from a cyber breach is prevention and that security vendors should not succumb to idea of cleaning up the mess after it has happened.

When it comes to cybersecurity protection, focusing on a detect and respond method rather than prevention is basically telling a customer to give up, according to Samantha Madrid, head of network security at Palo Alto Networks.

Madrid said that the firewall-focused security provider works with its customers to be prevention minded, gearing them away from what she called a classic incident response model.

"Frankly, incident response is just too little too late," she said. "It's effective, but you have to think differently. The networks of today are no longer like the networks they were 15 years ago, therefore the technology that you used 15 years ago can't be what you are using to architect and protect your network today."

Palo Alto networks as a whole has over 28,000 customers worldwide, representing more than 140 countries across various industries including enterprise, government, and service provider networks.

Madrid said whilst that statistic extends to Australia, customers, regardless of where they are positioned globally, all have the same questions -- mainly, how can they prevent cyber breaches and how can they prevent their company from winding up on the front page of a news cycle.

According to Madrid, legacy vendors do not provide consistency in the security that they have for traditional corporate perimeters versus the security they would provide a customer for their cloud networks.

"When you have different technologies that aren't consistent, in both how they do and what they do, it makes it very difficult to architect a security posture that is consistent. As a result, cyber attackers take advantage of that because they know your virtual and physical firewall have different capabilities, that you're basically leaving your back door open," Madrid said.

"Providers of these legacy and point products have built their technology for another time and it no longer thwarts today's attackers and they are really falling short in addressing today's cybersecurity challenges which is why their default response is 'it's about remediation'.

"We shouldn't give in to the incident response backdrop when it comes to security. We shouldn't just get in to clean the mess once it's happened, rather we need to architect for prevention."

Shehzad Merchant, CTO for network traffic visibility solutions provider Gigamon, believes it is perimeter-centric security that is actually outdated.

"In our view, it has fundamentally failed," Merchant said.

"If you take a look at what's going on in the industry today, we're seeing these large breaches globally and all of these organisations have invested heavily in perimeter-centric models and yet they're getting breached very easily."

Merchant said the emphasis in the space has now shifted from just prevention, to detection. He said that organisations are now beginning to act under the assumption that they have been or will be breached and therefore understand that they have to detect from within.

"Certainly nobody is going to give up on the prevention model, but my sense is the industry will focus on detection and containment," he said. "But given how easy it is to bypass firewalls, I think the industry is going to invest more in traffic monitoring."

Merchant said that big players like Google have completely done away with a perimeter firewall, and have adopted the perspective that firewalls are no longer effective. He also said Netflix has done a similar thing.

"These are some extreme examples, but I think they underscore a broader sentiment in the industry which is that relying on just prevention technologies like firewalls or antivirus solutions is not going to cut it any more and you have to increase focus on detection from within," he said.

"Whilst on the surface it may feel counterintuitive, it really isn't. Today's attacks go through so many stages and the goal and the objective is to retrieve and protect a lot of confidential data.

"Detection and containment is actually a far more sustainable model over the longer term."

Locally, Australian department store David Jones revealed in October that customer details were stolen as a result of its website being hacked a few days earlier.

The retail giant said no customer credit card information, financial information, or passwords were stolen, as it does not store any credit card information or financial information on its website, but said the customer details that were stolen were names, email addresses, order details, and mailing addresses.

The announcement from David Jones came a day after Australian discount homewares chain Kmart revealed it had also experienced a breach. The Wesfarmers-owned company said no customer credit card or other payment details had been compromised; however, customers' names, email addresses, home addresses, telephone numbers, and product purchase details had been accessed in the "external privacy breach" that occurred in early September.

And last week, the Australian Bureau of Meteorology confirmed that its systems were fully operational and reliable in response to reports that the weather bureau had suffered from a large breach.

On Tuesday, Palo Alto Networks revealed details of a new "BackStab" attack which is used to steal private information from mobile device backup files stored on a user's computer.

Targeting iOS devices, attackers are sourcing text messages, photos, geographic location data, and almost any other type of information stored on a mobile device, according to Unit 42, Palo Alto Networks' threat research team.

While conducting its research into BackStab attacks, Unit 42 found over 600 malware samples from 30 countries around the world that were used to conduct remote BackStab attacks.

"The take away from this is reminding us that just because something is old, doesn't mean it can't be used again," Madrid said. "Make sure that you don't forget about the known. A lot of the time there's this focus on advanced cyberthreats but known threats and known techniques are very much just as important."

Madrid highlighted the need for iOS users to keep their operating systems up to date and use the default encryption options provided by the device to avoid falling victim to such attacks.