by Marc Solomon – June 5, 2014
Organizations Need to Look at Their Security Model Holistically and Gain Continuous Protection and Visibility Along the Entire Journey…
“Life is a journey, not a destination.” Most often attributed to Ralph Waldo Emerson, today we come across that phrase all the time – in songs, books, articles, and even in TV commercials for everything from automobiles to financial services. But if we change the word “life” to “security” it could also be used to describe how we need to think about protecting our organizations against advanced cyber attacks. Let me explain.
Most security tools today focus on prevention only – access control, detection, and blocking at the point of entry – to protect systems. They scan files once at an initial point in time to determine if they are malicious. But predictably, attackers fundamentally understand the static nature of these security technologies and are innovating around their limitations to penetrate network and endpoint defenses. The latest improvements in threat detection include executing files in a sandbox for detection and analysis, the use of virtual emulation layers to obfuscate malware from users and operating systems, reputation-based application whitelisting to baseline acceptable applications from malicious ones, and, more recently, attack chain simulation and analysis detection. If the file isn’t caught or if it evolves and becomes malicious after entering the environment, point-in-time detection technologies are no longer useful in identifying the unfolding follow-on activities of the attacker.
Advanced attacks aren’t focused on what we traditionally consider to be the destination – the walls of the enterprise. They’re focused on the journey, leveraging an array of attack vectors, taking endless form factors, launching attacks over time, and obfuscating the exfiltration of data. These attacks aren’t limited to a point in time but are ongoing and require continuous scrutiny.
In order to detect advanced threats and breach activity more effectively, security methods can’t just focus on detection and prevention but must also include the ability to mitigate the impact once an attacker gets in. Organizations need to look at their security model holistically and gain continuous protection and visibility along the entire journey – from point of entry, through propagation, and post-infection remediation.
To do this we need a security model that combines big data architecture with a continuous capability to overcome the limitations of traditional point-in-time detection and response technologies. With a true continuous model, security professionals can answer key questions like:
• What was the method and point of entry?
• What systems were affected?
• What did the threat do?
• Can I stop the threat and root cause?
• How do we recover from it?
• How do we prevent it from happening again?
• Can I quickly hunt down Indicators of Compromise (IoC’s) before they impact my operation?
In this model, process-level telemetry data is continuously collected across all sources, while it is happening, and is always up to date when it is needed. Analysis can be layered to work in concert to eliminate impacts to control points and deliver advanced levels of detection over an extended period of time. Analysis is more than event enumeration and correlation; it also involves weaving telemetry data together for greater insights into what is happening across the environment. Tapping into a broader community of users, global intelligence is continuously updated and shared immediately and correlated with local data for even more informed decision making.
A continuous approach together with a big data architecture enables transformative innovation in the battle against advanced threats that target the endpoint. For example:
1. Detection that moves beyond point-in-time. A continuous approach enables detection to become more effective, efficient, and pervasive. Behavioral detection methods like sandboxing serve as inputs for continuous analysis and correlation, activity is captured as it unfolds, and intelligence is shared across detection engines and control points.
2. Monitoring that enables attack chain weaving. Retrospection, the ability to go back in time to monitor files, process, and communication against the latest intelligence, and then weave that information together to create a lineage of activity provides unprecedented insights into an attack as it happens.
3. Automated, advanced analytics that look at behaviors over time. Combining big data analytics and continuous capabilities to identify patterns and IoC’s as they emerge, enables security teams to focus their efforts on the threats that matter most.
4. Investigations that are more targeted, fast, and effective. Transforming investigation into a focused hunt for threats based on actual events and IoC’s, gives security teams a fast and effective way to understand and scope an attack.
5. Containment that is swift and surgical. With the level of visibility the continuous approach provides, security teams can identify specific root causes and shut down all points of compromise and infection gateways simultaneously to prevent lateral movement of an attacker and break the attack chain.
In this model, detection and response are no longer separate disciplines or processes but an extension of the same objective: to stop advanced threats. Going beyond traditional point-in-time methodologies, detection and response capabilities are continuous and integrated. It’s what’s required for advanced threat detection and response that’s focused on the journey, not just the destination.