Breach detection: Five fatal flaws and how to avoid them
- 06 June, 2015 00:37
IT Security today is not about defending a (non-existent) perimeter, but about protecting the organization's attack surface, which has changed dramatically due to the cloud, mobility, BYOD, and other advances in corporate computing that have caused fundamental shifts in network architecture and operations.
Practically speaking, it means you need to monitor what is occurring inside the firewall just as much (if not more) than what is outside trying to make its way in. Think of it as a post breach mindset based on a "1,000 points of light" model as opposed to a "moat and castle" model of defense.
In theory its evolutionary, but given the accelerated pace in which security organizations have matured, it is not necessarily an easy transition to make. Not only has the threat landscape changed, but there has been constant flux in the leadership, skills, tools and budget required.
As a result, even in advanced shops, perimeter-based defense practices still linger. Practices based on flawed thinking or misconceptions, which if left unchecked, hinder fast detection and response. Here are some of the ones we see the most:
* Fixation on penetration prevention. Solution: Shift to an "Already compromised" mindset. With APTs more prominent than ever, it's no longer about if you get breached, but when. You should evolve your security defense accordingly. Instead of focusing on preventing penetration, focus on the adversarial activity that is going on within your network. The good news is you have an advantage; the majority of damage is usually done several months after penetration. Hackers tend to deploy low and slow' techniques and perform minimal actions per day in order to evade detection, better understand the organization and craft a foolproof roadmap to reach their true target.
* Accepting simple explanations. Solution: Always dig deeper. Security events are not caused by error or accident. Every piece of evidence should be over-analyzed and malicious intent must always be considered. Because your security teams cannot know all adversarial activities, in a sense they are at a disadvantage; therefore, it is crucial for the teams to over-investigate what they can see in order to reveal other unknown and undetected connecting elements. Security teams must always assume they only see half the picture, working diligently to uncover the rest of the pieces of the puzzle.
* Striving for fast remediation. Solution: Leverage the known. Instead of remediating isolated incidents as fast as possible, the security team should closely monitor the known to understand how it connects to other elements within the environment and strive to reveal the unknown. For example, an unknown malicious process can be revealed if it is connecting to the same IP address as a detected known malicious process. Moreover, when you reveal to the hackers which of their tools are easy to detect, hackers can purposely deploy, in excess, the known tools to distract and waste the defender's time.
* Focusing on malware. Solution: Focus on the entire attack. Although detecting malware is important, solutions that mainly focus on detecting isolated activity on individual endpoints are unable to properly combat complex hacking operations. Instead, employ a more holistic defense. Leverage automation - analytics and threat intelligence in particular - in order to gain context on the entire malicious operation, as opposed to just the code. Keep in mind that your adversary is a person and malware is one of their most powerful tools, but one of many in their tool kits.
* Letting false alerts get the best of you. Solution: Automate investigation. Because many security solutions produce a large amount of sporadic alerts (many false) with little context, security teams spend endless hours manually investigating and validating alerts produced by their solutions. This lengthy process significantly prolongs security teams from addressing the real question is there a cyber-attack underway? Here's another case where the proper use of automation can dramatically increase productivity as well as detection and response times, which results in less costly and damaging attacks. If there are budgetary constraints that prevent the proper use of automation to aid you in this process, quantify the value the investment you are asking the company to make.
Like many aspects of IT, breach detection is part art, part science. However, what distinguishes a good analyst from a great one is how they think. Avoiding these misconceptions enable security teams to approach breach detection much more strategically and make better use of the resources at their disposal.