Time is not on your side. Bridging the Detection to Protection Gap

Posted by Admin on February 24, 2015

The threat landscape is forever expanding and adapting. With millions of malicious users hiding amongst billions of legitimate users, it is no wonder that cyber attacks are consistently at the forefront of every major news station.

Cyber security systems must be able to meet the breadth of today’s attacks. Without this sort of scalable solution in place, the next breach could be right around the corner.

One of the biggest issues in cyber security today is the widening time gap between an adversary’s ability to breach a network, and the security team’s ability to discover that breach.

The threat landscape is a dynamic attack surface; keeping up with the changes is proving to be a losing strategy. Adversaries are taking advantage of the slow speeds in which a security team is able to respond to the attacks.

According to the Verizon Data Breach Investigations Report (DBIR), as many as 90% of reported breaches occur within “a few days.” These breaches can take all forms, from spear phishing and social engineering, to exploits and tampering. It’s getting easier and easier to check new malware against the existing signature databases to ensure that the latest attack won’t be immediately detected.

Malware is even being developed to detect that it’s being run in a virtual environment, and not disclose it’s true intent.

With the same criteria of within “a few days,” the DBIR report indicates that security teams are able to discover only 30% of breaches. In an ideal world, security teams would discover a breach within seconds of it occurring, enabling the fastest response possible to the incident, preventing a compromise from becoming a crisis.

In reality, it takes days, weeks, and even months to discover these breaches, ranging in severity from fairly benign to state-sponsored Advanced Persistent Threats (APTs). Likely, there are breaches in enterprise networks that persist for years, completely undetected.

How will the tables be turned? Is it possible to close this gap?

In most enterprises today, security teams are designed to take on these challenges. This is a monumental job, and there are varying levels of success throughout the industry. Logistical problems, such as geographic location, have to be factored in.

What if there isn’t enough security talent in my location to be able to bring in the best? Technology problems will continue to evolve. What if we experience a breach the likes of which nobody has ever seen before? There is no user manual for dealing with these new emerging threats.

Cyber Threat Visibility is essential to closing the breach detection gap. It’s not an option for a small team with this monumental task to work on their own in a vacuum. Organizations focused on the research of these threats are growing.

Specializing in market verticals, attack vectors, and even tracking threat actor groups, these intelligence companies are tracking the worst of the worst across the industry today. It’s essential in today’s threat landscape for security teams to augment their capabilities with cyber threat intelligence.

Leveraging this knowledge on the enterprise enables organizations to know what to look for or sometimes simply, where to look, speeding up incident response.

Implementing this research makes security teams more effective, focusing on actionable threat data. This reduction in false-positives will reduce an organization’s overall risk, as they are aware of potential compromise events faster than ever. There’s still another gap.

Knowing about a breach and having the capabilities to fix it are not one in the same. Cyber threat intelligence is a tremendously powerful resource. Many of the providers and on-site security teams that are generating intelligence have the ability to communicate the issues and strategies for taking action against the matching events.

Again, sharing this information, and being able to communicate as close to the breach event as possible is critical for protection, but there’s still a gap, the detection to protection gap.

Most of the largest retail breaches that we have seen occur at times when teams are least prepared to engage and take action. Before Thanksgiving until mid-January, financial transactions among retail and online stores are never higher.

Companies want to be able to collect and process payment for all the shoppers, and they don’t want mistakes or human error to take these systems offline for any period of time. The loss of revenue for even an hour can be disastrous. To avoid human error, freezing configurations and systems in place is fairly standard across the industry.

What happens when the adversary knows this, and exploits this timing for their gain? Unfortunately, it happens all too often. Even when threats are identified during these freeze windows, taking corrective action is often too late to have a meaningful impact.

In order to solve these challenges and effectively implement cyber threat intelligence in the network security stack, new technologies must be deployed for real-time identification and protection of network resources.

These new capabilities must be able to handle the large, dynamic policies specific to their industry, and identify the potential compromise down to the exact internal resource. The cyber threat visibilities gained from these new technologies are vital in securing data and keeping organizations’ networks safe from attacks.

About the Author

Justin Rogers, Director of Product Marketing Centripetal Networks

Justin has more than 15 years of experience in networking, telecommunications, and the defense and intelligence communities. Justin previously spent several years with the Combined Explosives eXploitation Cell (CEXC) deployed with a joint-expeditionary team in Baghdad, Iraq, as well as Bagram, Afghanistan. With CEXC, Justin focused on Counter-IED technologies, training, and bridging the protection gap in defense of Coalition Forces. After joining Centripetal Networks in 2012, Justin has been focused on bringing Centripetal’s Active Network Defense platform to market. Justin has a BS in Electrical Engineering from the University of New Hampshire.

Tags: Cyber Defense Magazine