Credit: Courtesy of Invincea

The cybersecurity industry is seeing a massive rift between firms that promote the idea that data breaches are inevitable and those that are focused on stopping them. And this split of the industry into two camps has implications for every company that’s trying to understand how to keep hackers out.

At one prominent DC-area cybersecurity company, Invincea, preventing a breach is still the first and foremost goal; prevention is still seen very much as “possible.” And the Arlington, Va.-based company’s CEO, Anup Ghosh, doesn’t mince words when he speaks about the “impossible” camp.

Ghosh puts the mantra this way: “you cannot stop the breach. So don’t even try.”

“To me that’s a self serving message,” he told DC Inno. “What you’re really saying is don’t invest in prevention because you’ll never stop the threat.”

Invincea, of course, has its own self-interest in promoting prevention. The company, for instance, formed a research branch called Invincea Labs in 2010 that has produced technologies such as Cynomix, which maps millions of malware “strains” to inhibit previously recognized cyberthreats from targeting clients. Invincea Labs has secured more than $30 million in federal contracts since being founded.

Invincea’s executive team(from right to left) — Norm Laudermilch, Dana Duffy, Anup Ghosh, Paul J. Bihuniak , Chris Smith and Alan Keister / Credit: Courtesy of Invincea

Ghosh, previously a manager with the Defense Advanced Research Projects Agency, said he began to notice the “impossible” ideology becoming a real force about three years ago.

“They definitely won the marketing message there.”

 “I was the only guy on the hilltops saying, ‘This is crazy guys.’ We have proof points everyday that shows we can stop attacks. But my voice was drowned out by all the companies who said you can’t stop [data breaches],” Ghosh said. “They definitely won the marketing message there.”

Today, the cybersecurity industry and its products can be broadly categorized within three loosely defined branches: prevention technologies (including both endpoint and network security), incident response (crisis-mode solutions) and breach detection (including cyber forensics and data recovery).

In this framework, it’s relatively easy to understand what each sector is responsible for. The three branch distinction is not intended to represent sector-specific categories but rather it is used to illustrate a different set of solutions and their market impact.

“The reality is you can’t stop 100 percent of attacks … [but] If you look at it as an investment portfolio, what you really need to do is put a lot of money on the prevention side, because the more attacks you prevent, the less you need to clean up,” said Ghosh.

All three branches have undeniably become vital components to a complete 21st security approach, but the way entities invest in them is vastly unequal.

Ivan Shefrin, the VP of Security Solutions at TaaSera, which specializes in breach response, detection and prevention, told DC Inno, “Cyberdefense going forward needs to shift the focus from the hard perimeter to the soft core of the network where the most damage occurs. It’s in the core where we need advanced detection and mitigation technologies to catch malicious behaviors (from malware and malicious insiders) in time to prevent data damage, loss, theft and loss of business continuity … it doesn’t mean dismantling the prevention infrastructure already in place.”

At the moment, Ghosh said the “top dollar” goes to incident response.

Incident response certainly happens to be the “discipline” with the greatest public attention attached to it, having become synonymous with major cybersecurity brands like FireEye/Mandiant and the data breaches they are brought on to alleviate.

the way entities invest in them is vastly unequal

For reference, Mandiant offers pre-incident retainers for clients that want to have the security company registered in the event of a breach. The pre-incident retainer offering has become a standard.

The Cyber forensic specialists have a pricing structure that is divided by four tiers, based on both onsite and offsite hourly rates accompanied by the timeliness and identification of “attack vectors.” According to Mandiant sales documents, “there is no minimum financial commitment or annual cost. Charges are only incurred in the event of an incident.”

The Ponemon Institute surveyed 674 IT and IT security professionals — the graphic shows where they believe their companies should be investing in cybersecurity / Credit: Ponemon Institute

A June 2015 study by analysis and consultancy firm Pierre Audoin Consultants (PAC) shows that spending by european enterprises on threat detection and response is shifting away from prevention and protection and towards detection and response capabilities.

The doomsday marketing message may be working.

According to PAC, the change in spending is due to a “realization that cyberattacks are inevitable.” The study, sponsored by FireEye, HP, Telefonica and Resilient Systems, concluded that spending on post-breach solutions would increase from 23 percent of security budgets to 39 percent, within two years.

James Lewis, a cybersecurity expert at the Washington DC-based Center for Strategic and International Studies (CSIS), previously told the BBC that, “Businesses should stop worrying about preventing intruders getting into their computer networks, and concentrate instead on minimizing the damage they cause when they do.”

Though segments of the cybersecurity industry may be largely responsible for instituting this type of security atmosphere, a clear “crisis mindset” also contributes to it. As Ghosh put it, at a base level he believes that the cybersecurity industry lacks “strategy” and this imbalance has a lasting and resounding impact throughout the federal and commercial system.

Newsweek Opinion article described “inevitable” nature of attacks/ Credit: Newsweeks screenshot

“The first money goes to incident response, then it goes towards breach detection, which is retrospective analysis. A lot of the money right now is going backwards and it all starts with this crisis mentality … It makes rational sense from an investment point of view. In investment you’re trying to make money and you’re not trying to solve real problems. You go where the money flows,” Ghosh said.

He added: “We lack, as an industry, strategy. Instead we look at what’s right in from of our face … We’re spending money in the wrong place, when it’s too late … It always starts with the breach. If you follow the money then you’ll see how it works is that the breach happens and our whole conversation revolves around incident response.”

A Breach Economy

In May, the Ponemon Institute’s released its annual data breach study which showed that the average total cost of a data breach worldwide had increased 23 percent since 2013 to more than $3.8 million per incident. This figure, almost symbolically, chose not to include the cost and/or value associated with prevention technologies.

On June 4, U.S. officials revealed to the public that the Office of Personnel Management’s computer systems had been hacked. In the aftermath of the breach — while a number of escalating reports showed the damages piling on — there was a single cogent question: who should be held responsible for the breach?

Anup Ghosh

More than a month removed and the answer to that question remains somewhat unclear. OPM Director Katherine Archuleta previously told members of a Senate panel that,”If there is anyone to blame, it is the perpetrators.” That being said, it’s possible that another party could be blamed, including the engineers who designed and supervised the vulnerable network in question.

Typically, government contractors are brought in to establish an agency’s network and also staff a number of security positions to monitor it. In a non-crisis environment, a federal agency will usually launch a larger, public contract that can be bid upon by any number of government IT providers and/or boutique security suppliers — this includes participation from recognizable brands like General Dynamics, Booz Allen and Lockheed Martin Corporation.

In contrast, when a crisis situation occurs, like that of OPM, an agency will instead often directly rely on the party responsible for establishing their original data network. If that network provider cannot supply enough manpower than it may rely on a commercial partner company to assist it.

“With incident response events like OPM it’s a crisis situation and so its hard to know how they actually get those contracts because its not going to be public or to get a bid, necessarily. It will be whoever their technical assistance contractor is … thats a relationship type thing,” Ghosh said.

Surprisingly, even with major network contracts that accompany federal agencies, prevention technology is not a priority, Ghosh told DC Inno — meaning that instead of developing software to stop attacks, these corporations will normally prioritize the purchase of post-breach solutions.

When I asked Ghosh if there had been an evolution in the way federal contracts are applied, he responded, “There were really never these gov-con contracts for prevention. You just don’t really see it … There’s definitely a huge amount of incident response contracts today and there will be more. We’re at the tip of the iceberg with OPM.”

At the moment, most of the threat prevention tech for federal agencies is purchased off the shelf from commercial companies like McAfee and Norton, rather than being specially designed for the U.S. government.

Fighting The Current

Under the DARPA umbrella, Invincea’s CEO witnessed numerous attacks aimed at the Department of Defense. The mass majority of whom came from nation states.

At the time, the DoD were using commercial, off the shelf products much like federal agencies are doing today. But there was a big mismatch between the prevention defense technology that were being purchased from these commercial cyber companies and the adversarial tactics used by aggressive nation states. These adversarial tactics went completely under the radar — ignoring the defense “perimeter” set by commercial products.

Ghosh said that the stark contrast in firepower came due to an inherent and unfortunate cycle of unintended consequences spurred by the classification of attacks.

The U.S. government has been classifying cyberattacks since the early 90s and as a result, a large grouping of adversarial tactics never get out to the public domain. “The system was broken because of that lack of flow of information. I think it was an unintended consequence of classification,” Ghosh told DC Inno.

In a new report by security performance monitoring firm BitSight Technologies, network controls that were supervised by commercial companies ranked safer than those covered by defense contractors. According to BitSight, network security at breached J.P. Morgan Chase and Home Depot rated higher than some of the network security protocols established by top companies supporting the U.S. military. The gov-con firms mentioned in the report include Lockheed Martin, Raytheon and another 22 other contractors.

Ghosh said that during his time in government, he saw networks being “pillaged” by adversaries “using 2010-level tactics vs. 1995-era technology.”

“It was crazy. And so that’s why I started Invincea. Clearly we needed revolution in technology on the end point and we needed a completely different approach to solving this problem.”