Slandering Andre Maginot

FireEye recently came out with a new report: Cybersecurity’s Maginot Line. It is an excellent report that documents findings from over 1,600 FireEye customers. Some key findings:

• Nearly all (97 percent) organizations had been breached, meaning at least one attacker had bypassed all layers of their defense-in-depth architecture.
• More than a fourth of all organizations experienced events known to be consistent with tools and tactics used by advanced persistent threat (APT) actors.
• Three-fourths of organizations had active command-and-control communications, indicating that attackers had control of the breached systems and were possibly already receiving data from them.
• Even after an organization was breached, attackers attempted to compromise the typical organization more than once per week (1.59) on average.

So basically just about everyone is owned and there isn’t anything you can do about it, right?

Well…

Look, computer network defense is what it is. You have to buy firewalls and anti-virus and all the other de rigueur hardware and software because you’d be fired if you didn’t. It’s not so much that none of these defensive mechanisms work, it’s that they serve as your Maginot Line giving you time to prepare and focus for the real battle.

At this point I would like to take a moment to point out that cyber security people love to abuse the Maginot Line analog because, among other things, it’s easy to poke fun at French martial prowess or the lack thereof. The problem is that the Maginot Line wasn’t supposed to stop a future German invasion cold; it was supposed to act as both a warning and delaying mechanism – giving the French Army time to mobilize and prepare for battle near Belgium, rather than be caught by surprise and nickel-and-dimed to death across the entire French frontier. The Line worked as designed – the bulk of German forces went around the line – they just did so much faster and more powerfully (“Armor through the Ardennes? Quelle Suprise!”) than the French had anticipated, so while the French Army was still trying to remember where it had left its mess kits, the Wehrmacht was already at the door.

The problem is that finding and rooting out an infection, persistent or otherwise, has traditionally followed a model that takes days at best, weeks being more the norm. That’s just the search and destroy part of the mission; it doesn’t address the fact that you often have no idea that you’ve been invaded in the first place. THAT task often takes months, which is more than enough time for an intruder to make off with everything of value you have on your systems.

Our approach cuts short the warning time between invasion and occupation (to maintain the military vernacular). In fact, if we are doing our jobs right there is no occupation: you push back your attackers in a matter of hours or minutes (best-case scenario). No one likes being invaded, but unlike purely defensive technologies we give our customers a fighting chance at kicking the Boche out of their digital France.