MH
Today’s dynamic enterprises require a new paradigm for responding to advanced malware and sophisticated cyber-attacks, and they need the ability to defend and react in real-time. Advanced persistent threats (APTs) continue to grow by increased sophistication and numbers and target enterprises through the traditional defense layers, relying on static defense devices. Enterprises need to substantially reduce the time and effort required to respond to detected threats, and slam the door on modern malware and targeted attacks, preventing data loss and protecting against future infections of other users. More advanced cyber- attacks necessitate a new model of security that can protect against unknown malware, and deliver over multiple threat vectors. In fact, more than 95 percent of companies already have compromised systems within their networks, according to FireEye. We’ll take a closer look at how next generation threats require a new approach incident response.
Advanced persistent threats (APTs) continue to grow in both volume and sophistication. This is fairly recent phenomenon as it was just two years ago (2011) when APTs first made their mark.
For example, 2011 was the year that Sony saw multiple breaches that resulted in stolen customer data from up to 77 million user accounts from the PlayStation Network. In that same year, RSA Security also was hit by an APT, where crypto-keys for RSA’s SecurID two-factor authentication products were stolen and used to breach a RSA customer. And many are familiar with the FireEye study published that revealed 95 percent of enterprises had malicious infections entering their networks each week. If those were the statistics from 2011, it is safe to guess that the volume of attacks has only increased.
In response to the increasing sophistication of modern malware, frequency of targeted attacks, and costs of resulting security breaches, today’s enterprises are making major investments in a wide variety of threat detection technologies – including anti-virus (AV), intrusion detection/prevention (IDS/IPS), security information and event management (SIEM) solutions, Advanced Malware Detection (AMD) platforms, threat intelligence feeds, and even “Big Data-for-security solutions.” But the question is, have these investments slowed or stopped the attacks?
Based on the growing number of successful attacks, it would appear not. Earlier this year, daily deal site LivingSocial announced that it had been attacked, resulting in as many as 50 million customers’ records being exposed. Evernote was hacked, exposing users’ data in the cloud. And, we can’t forget the well-publicized LinkedIn attack last year, which resulted in millions of user credentials ending up on hackers’ underground websites. We’ve seen these reported in the news, just think of the number of enterprises that are compromised that don’t make headlines.
In many cases these attacks go through enterprises’ traditional defense layers that rely on static defense devices and technologies. While enterprises’ AMD products do a good job of finding next-generation malware, IT security teams struggle to effectively respond once a threat has been detected. Many of these high-profile successful attacks remained resident for days or longer before containment or remediation measures were executed. Enterprises need to substantially reduce the time and effort required to respond to detected threats in order to prevent data loss and protect against future infections of other users.
Implementing one or more AMD solutions is a good start, but the job of IT security does not end with simply deploying a better mouse trap. After detecting a potential threat, most AMD solutions leave the all-important next steps of verifying, prioritizing, and containing the detected threats as a series of manual processes done by the organization’s IT security team. These challenging tasks are costly, time consuming, and leave organizations and their data exposed.
This is compounded by the fact that many threat detection solutions are either passive by design, or are frequently deployed in passive mode to minimize network architecture changes or due to concerns about the impact on network performance.
When threats are detected by various security solutions in the organization, the alerts often do not include enough contextual information for IT security teams to verify necessary details that can elevate the potential threat to a higher sense of urgency. For each alert, IT security teams engage in a manual response, during which time significant damage can be done by the attack. In addition, any follow-on events or recurrences of the same threat may require the same manual response process having to be repeated all over again.
The impact of these manual response processes is that organizations are unable to leverage available threat information and put it to use in a meaningful manner by the entire security infrastructure. The gap between initial detection and pervasive protection caused by inefficient response processes diminishes the value of these investments in detection-only solutions. The longer the window of vulnerability is open, the more incidents and greater financial impact may result as data is compromised and infections are allowed to spread. These manual processes that follow security alerts also tie up an organization’s security staff from addressing other business objectives and priorities.
Today’s dynamic organizations require a new paradigm for responding to advanced malware and sophisticated cyber-attacks, one that results in real-time response capabilities and goes beyond simply detecting threats. What’s more, they need it to work with the existing detection and protection solutions organizations have invested in. A better approach would capture business-specific logic and threat-specific workflows, ensuring a graduated response proportional to the severity of identified threats. Organizations need to substantially reduce the time and effort required to contextualize detected threats, and slam the door on modern malware and targeted attacks, preventing data loss and protecting against future infections of other users.
Help is on the horizon with a new approach to security intelligence and threat management that integrates with both detection solutions and existing security infrastructure devices to go beyond just detection. With the ability to receive threat events from multiple sources and validate these threats with context data, this new approach enables IT security teams to review and prioritize incidents after the initial detection by advanced threat detection systems. Incident information is then intelligently processed and applied in real-time to dynamically adjust defensive countermeasures and automatically mitigate verified threats – all while leveraging existing security infrastructure devices.
Using this new approach, enterprises will soon be able to quickly, intelligently and thoroughly respond to threats of all types as they are detected. This will help organizations reduce the impact and exposure caused by potential security incidents, achieve a substantial reduction in the time and effort required for security staff to implement thorough responses to detected threats, and realize a substantial increase in the value of their security investments.
As we can see, protection against today’s complex and persistent attacks on infrastructure takes more than just detecting the threat. Organizations should consider new approaches to threat management which connect threat detection solutions with threat intelligence, context and automation to help them best leverage their security investments, and protect their networks.
About Mike Horn
Mike brings over 15 years of experience solving challenging data networking and security problems for enterprises and service providers. It is this experience along with his passion for creating innovative new products that led him to co-found NetCitadel to change the way enterprises think about their network security.
Prior to co-founding NetCitadel, Mike held a variety of leadership positions in product management, engineering, and operations at companies including Vidder, Avistar, Level 3 and Virtela Communications. Mike also spent several years consulting for companies ranging from early stage startups to Fortune 500 technology companies on product strategy.