Traditional Security Technologies Focus on Detecting Strong Indications of Compromise, but Can’t Identify Weaker Indications of Compromise
We all know that advanced attackers have the resources, expertise and persistence to compromise any organization, at any time; attackers fundamentally understand the nature of classic security technologies and their applications and exploit the gaps between them. They relentlessly drive their attacks home, frequently using tools that have been developed specifically to circumvent the target’s chosen security infrastructure. Once they penetrate the network they go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible indicators of compromise to accomplish their mission.
The challenge for defenders is that traditional security technologies are focused on detecting strong indications of compromise, such as known malware and other threats, but can’t capture or analyze weaker indications of compromise. Plus, these technologies are only able to make a determination at a single point in time. If that one shot at identifying and blocking a threat is missed, most IT security professionals have no way to continue to monitor files once they enter the network and take action if they turn out to be malicious. Eventually you’ll realize a breach has happened, but if you’re like most organizations it can take months or even years to discover according to the latest Verizon 2013 Data Breach Investigations Report. At that point you’re left calling in the forensics team to figure out what happened and what was stolen or destroyed.
To regain control against these stealthy attacks, defenders need a new threat-centric approach to security to address the full attack continuum – before, during and after an attack – with continuous visibility into indicators of compromise and retrospective security to quickly contain and stop the damage.
Examples of activities that could indicate compromise include a system attempting to communicate back to a known bad (blacklisted) IP address; trying to access a part of the network, a device or a database it hasn’t before; or creating a process that it wouldn’t under typical circumstances. In isolation each of these activities isn’t a detection or prevention event, but when correlated with malware intelligence and other behaviors, even seemingly benign or unrelated, they may suggest a compromise.
To be able to identify indicators of compromise once a threat has entered the network, you need to take a two-tiered approach with tools and processes that combine trajectory capabilities, big data analytics and visualization to enable the following:
Tier 1: Automated analysis and response. Identify technologies that use trajectory capabilities to track system-level activities, file origination and file relationships and then leverage big data analytics for root cause and forensic analysis. When combined, these technologies can highlight and pinpoint subtle patterns of behaviors and weak indicators, suggesting a compromise has happened and a breach has most likely occurred. The ability to alert and automatically take action can speed response and help mitigate damage.
Tier 2: Actionable intelligence. Visualization technologies are also important so that you can quickly understand the chain of events leading up to and following a possible compromise. This allows you to apply context based on your expertise, perspective and knowledge of activities happening at that moment in your environment to make an even more nuanced determination of suspicious activity and identify indicators of compromise. If you identify an indicator of compromise you can see what’s occurring across your environment at that moment, look back at preceding events and then control activities that could be risky. If you determine a breach has occurred, by locating the point of origination and understanding the scope of the exposure you can stop the attack and remediate.
Attackers are relying on the fact that defenders are focused on detection and prevention technologies alone to look for threats and remove them. As a result, attackers are using weak signals to create nearly imperceptible indicators of compromise to attempt to stay below defenders’ radar.
While detection and prevention are essential to any security defense strategy, defenders also need the ability quickly tie together unrelated events to identify a threat that has evaded defenses. With decisive insight from trajectory, big data analytics and visualization capabilities defenders now can see that blip on the radar, hone in, understand it and take action.
Guest author, Tom Sitt, is Director of Product Marketing at Sourcefire