by Scott Millis – Chief Security Strategy Officer at ISC8
(Third in a series) An ounce of prevention, (the perimeter defenses), PLUS a pound of cure, (incident response), will help corporations reject and/or defeat KNOWN maladies that they encounter every day. Like malware, devastating new diseases are popping up with regularity, and modern medicine is not (yet) in a position to prevent or cure these. With new diseases, as well as with existing diseases that escape the preventative efforts, EARLY DETECTION is the KEY to maximizing positive outcomes.
What strategy should one adopt as the centerpiece for corporate detection efforts? Medicine is instructive here as well, mainly in the form of the blood test. Whenever anything seems to be seriously wrong with us, the blood test is the “go-to” diagnostic tool. Why? Because by looking at what is happening in the blood, physicians can usually rule out a lot of possible issues, but more importantly it can point them at highly likely causes. Additional data from other tests can further add confidence to the diagnosis, until there is enough evidence to embark on an appropriate treatment plan, (incident response).
Thinking about corporate infrastructures, one can adopt a strategy as powerful and productive as the blood test. I’d submit that the bloodstream of the enterprise is the network, and that by watching for abnormal network operations, over time, one can build up confidence that malware is active and then spring into action to prevent damage and/or loss.
This requires new tools, ideally tools that can run in the network core, at very high speeds (10-100Gbps), able to learn, and most importantly, able to recognize potentially abnormal (“suspicious”) activities by looking at all seven layers of the protocol stack, by examination of EVERY packet to see what it is and what it is not doing. Ideally, again, such a tool would correlate these suspicious activities over long periods of time, (months or years as may be necessary), until the threshold of confidence is reached so one can either dismiss it or “alarm” the incident response team(s).
There are many elegant aspects of such a strategy, the monitoring and diagnostics systems must:
- operate without agents and without disruption of network traffic
- be invisible to normal network discovery, as it lives passively on the core (think fiber tap)
- be agnostic to the malware source, type, variant, author, and method of initial infection
- not rely on KNOWN malware types
- focus on the TACTICS and METHODOLOGY of the intrusion, (i.e., the “kill chain”)
- reliably detect and correlate over arbitrary timeframes
- use it’s learning and confidence building capabilities to radically reduce ‘false positives’
- sit in the core “where the action is”, or at least where many or most of the precious IP assets live
Don’t just take it from me, take a look at what Dwayne Melancon says on “The State of Security” BLOG:
“The goal is to use the “kill chain” to help you develop capabilities that allow you to identify attacks earlier in the kill chain, rather than waiting for late-stage attacks to become apparent. I like this, as it is very consistent with my views on focusing on early indicators vs. lagging indicators in breach detection. In other words, develop capabilities that help you identify intrusions while they are still in phases 1, 2, or 3 – and the lower the number, the better.”
Gartner also predicts:
“In 2020, enterprise systems will be in a state of continuous compromise. They will be unable to prevent advanced targeted attacks from gaining a foothold on their systems. Unfortunately, most enterprise information security spending to date has focused on prevention, in a misguided attempt to prevent all attacks. Moving forward, while preventative efforts such as enterprise firewalls, intrusion prevention systems (IPSs) and endpoint anti-malware systems will still be needed, the effectiveness of and associated spending on these technologies will decrease as a percentage of information security budgets. In addition, the shift to PCS discussed previously implies a move away from preventative toward detective controls. We believe the majority of information security spending will shift to support rapid detection and response capabilities, which are subsequently linked to protection systems to block further spread of the attack.
Part of the answer to the seemingly insurmountable problem of how to identify attacks without signature-based mechanisms lies in pervasive monitoring to identify meaningful deviations from normal behavior to infer malicious intent. If you assume systems will be compromised with advanced targeted threats, then information security efforts need to shift to detailed, pervasive and context-aware monitoring to detect these threats”
(See Gartner Research: “Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence”, May 2013)
(Spoiler Alert: ISC8 product solution information follows!)
The newest addition to ISC8’s product line Cyber adAPT®, does all of these things and a lot more. It’s also designed to augment and complement many of the security investments that corporations already have in place.
It is worth repeating from an earlier blog post that “Gartner estimates by 2020, 75% of IT budgets will be set aside for rapid detection and response approaches, up from less than 10% in 2012”.
If you think it’s time to start thinking about what your security architecture should look like in 2020, and how you can adopt a flexible “blood test” strategy, we’d love to talk to you.