An Ounce of Prevention: Mandiant’s Managed Defense

My kids used to think they were invincible. A few cuts and scrapes later, they learned better. Soon, they'll think they know everything. Heck, they probably already do. And once they finally accept that they might not know everything, they'll still be in denial about their invincibility as it relates to their health. Come to think of it, I'm pretty sure I went through a 10-year stretch where I never saw a doctor. It's not until I learned some lessons the hard way, or watched others run into trouble, that I realized it's important to be a little more proactive about my own health. Turns out you can't just avoid things that might hurt you and hope for the best. You can still end up in trouble from something you didn't anticipate.

As an industry, we're growing up too. We used to put web servers and send mail out there on the interwebs. For a while, that worked just fine. Add a Morris worm, some denial of service, and little Bobby Tables to the mix and we've now got a very different Internet. In this case, an ounce of prevention means tens of billions of dollars of medicine in the form of firewalls, anomaly detection, anti-virus, and more acronyms that you can derive from a bowl of alphabet soup. And you know what? A lot of it is actually really good stuff. And you know what else? A lot of us still get seriously compromised. What gives?

An ounce of prevention is supposed to equal a pound of cure. How does that work when the disease has no cure? I don't know if it's more like Outbreak or Twelve Monkeys, but someone's actually out to get us. The better the preventive measures, the better our adversaries become. Since they can get access to the same off-the-shelf preventive measures we get, they can make sure they're building tools and tactics that effectively bypass our safeguards. So, they get in, they escalate privileges, they steal credentials, and they quietly start stealing our data. And we have no idea because they've passed all our preventive controls. Is it hopeless?

No, it's not.

We've learned that asking "am I vulnerable?" is pointless. Those were our angst-ridden teenage years. Yes, I'm vulnerable. Fine, I accept that. And you know what I've found? It's awfully liberating accepting vulnerability. I accept that my preventive controls will fail. What I gain in return is the ability to actually start putting a game plan together for what I should do when they fail. When I have that game plan figured out, I'll have confidence. No more angst. So, now what? How do I keep my health in check? Now it's time for regular physicals.

What we need is a regular checkup of our systems and our network - and not a cursory check either. An actual, in-depth hunt for the adversary on an ongoing basis. Is there a virus I don't already know about? Has something been infected? Are the footprints of adversaries in my environment? Maybe we need some Sherlock Holmes investigative skill. Maybe we just need some Gregory House epiphanies. Maybe I'm mixing too many metaphors. Okay, fine, there's no maybe about it.

This is why we've built MCIRT Managed Defense. For over two years, we've been providing "now what?" answers early in the wake of new compromises for our customers. When preventive defenses have failed our analysts have wielded our network and endpoint-based technologies to find evidence of compromise in our customers' networks. We're gathering all the intelligence about the adversaries' tactics, techniques, and procedures and codifying it into our technology. We're implementing regular sweeps of file systems, system memory, and enterprise networks. We're looking for evidence of malware and evidence of attack methodologies - footprints, residual artifacts. Now we're going hunting.

Starting in June, we're offering a new level of service. We're cranking up the frequency of our sweeps. We're focusing in on our favorite adversary's key attack vector: e-mail. We're taking advantage of cloud-based IP reputation data. We're tightening our SLAs. Most importantly, we're rolling in sets of advanced investigative techniques that have been instrumental in finding compromised assets in our incident response work. We want to make sure that you're the first to know about an advanced, targeted attack against your network. We want to work with you to scope the compromise and put together a plan of action. We want to help you contain the breach and remediate it quickly. We want to focus on the threats that matter most to your business, and we want to help you have the confidence to say: "Yeah, I'm vulnerable. So what? So are you. Even if the worst should happen, I'll know about it quickly and I'll know what to do about it. I'm prepared."

It's time to move past feeling vulnerable and accepting that we are. It's time to develop our confidence and be prepared for what comes next. And it's time for me to make sure I have a physical scheduled.