Detection Breadth and Depth
Problems of the “perfect” solution
Applying the Pareto Principle to information security, with only “20% of effort” we should be able to achieve an “80% solution.” However, this level of completeness is often not acceptable to an organization. A solution that can be evaded in some fashion is not complete until all evasion methods are identified, and the perfect solution is created.
Unfortunately, it is typically the case that during the development of the “perfect” 100% solution, there is nothing in place until the full solution is identified. There is a balance between the risk of only having an 80% solution and the extra time it takes to have a perfect detection.
One can argue that just because methods exist that can circumvent a security control does not mean that it does not provide any value to an organization or increase the overall security posture. Striving to quickly achieve the 80% solution and implement it in the environment can quickly yield positive benefits.
If a detection or tool must be perfect before implementation, it will take much longer to implement, if ever. Additionally, the 80% solution can always be improved on, and known deficiencies can be documented for future work.
Attacker’s Dilemma
Breaches or compromises do not happen in a vacuum. Most, if not all, involve an attacker performing a wide variety of techniques across multiple systems in an environment to achieve their end objective. This is an important concept to understand because it means an organization doesn’t have to detect EVERYTHING in order to detect an attack, it just has to detect ONE of the techniques used. A single indicator or alert can tip off incident response and halt an attack.
Minefield
If we can create good 80% detections across a large number of techniques, we have a much greater chance of catching some element of attacker activity. This provides a depth of coverage as there is not a single point of detection failure. The statistics of evading a large number of 80% detections is small and the more 80% detections in place, the smaller the odds.
Relevant Note(s):