Connecting the dots: Reactionary, respond-to-alerts based security posture will not protect from advanced threats
Connecting the dots: Reactionary, respond-to-alerts based security posture will not protect from advanced threats
"The news is not good. The detection deficit is getting worse," says Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks. He is looking at stats in the 2016 Verizon Data Breach Investigation Report (DBIR) report, which shows – in a straight line – that the difference in length of time between detecting an advanced attack and the time to compromise continues to grow
According to an Arbor paper, "Connecting the Dots in Enterprise Security", advanced threats target a specific company, are designed to bypass traditional controls, and comprise a planned and orchestrated set of attack activities. For the enterprise security professional, business as usual is no longer a viable option; a purely reactionary, respond-to-alerts based security posture will not protect you from advanced threats.
"You need to be able to detect and identify real threats by ‘connecting the dots', that is place indicators or alerts into a contextual chain of events over time," the paper points out and also acknowledges that this is easier said than done for a security team of any size.
Arbor highlights: "Connecting the component dots of stealthy, multi-stage attack campaigns is even more challenging given that larger, more complex distributed networks increase vulnerable attack surfaces and make comprehensive visibility harder. Even with better visibility, without a new approach managing the increasing volumes of alerts is unsustainable: the negative effects of alert fatigue and false positives are well documented. The time (and resources) it takes to investigate priority alerts and false positives will wear down the best security teams."
Hamman says that there is a misconception in the market that to "connect the dots" requires large security teams. "The reality is initiating and nurturing a hunting mindset can simply start with re-focusing the right staff, empowering new skill sets and better aligned processes. The goal is to re-direct some resources and augment your layered defence with a proactive component, to build in more sleuthing capabilities in your staff and support them with the right processes," he says.
Finding today's advanced threats demands new approaches, continues the paper, and adding to your security posture a proactive puzzle-solving capability to help mitigate threats can be done in incremental steps. Some common steps the paper mentions include:
- Reduce the number of tier two to three analysts working on security events, and have one to two analysts focus solely on hunting for threats in areas of their network/ business.
- Look to enable in-house hunting skill sets with selective training. Individuals and teams of all sizes are looking for both new and more effective models, where their day is more productive and they can make forward progress against advanced attacks.
- If you don't have one already, set up a cyber intelligence team. Start by aggregating alerts from law enforcement, vendors, Intelligence/ IR firms, and so on. This alone will help shift the organisational focus from looking at potential indicators of compromise to indicators of attack.
- Look to set up new alert workflows and investigatory processes that include this intelligence passed to hunting-focused analysts. Change focus by creating a threat and risk-based view of assets within the network. For example for retailers: certain POS locations during Black Friday to Valentine's Day, or highlight "blind spots" where perimeter devices and end-user controls may be more limited, such as at subsidiary or remote locations.
- Consider outsourcing an SOC altogether, and retaining a set of tier three analysts with both core "responding" and hunting skills. If you outsource, be sure to retain a set of tier three analysts with both core "responding" and hunting skills to investigate critical issues/ events passed from the SOC.
"Organisations of any size are perfectly capable of proactively, connecting the dots. Arbor has seen how small teams, even a sole actor responsible for policing the activities of an outsourced NOC or SOC, can transform their organisation's approach to security. Threats are not partial to demographic, country or industry – you have to remain on high alert 24/7," adds Hamman.