Nick Race, country manager for New Zealand for security service provider Arbor Networks provides a sport analogy for organisations that are facing a constantly changing information security landscape.
“Given the stealth of today’s advanced attack malware, the scale of data compromise and speed of execution, New Zealand organisations can no longer rely on a passive, defensive security strategy to get them over the ‘advantage line’,” he writes.
He shares the following pointers for CIOs and their chief information security officers:
“New Zealand enterprise security professionals are well aware they are under constant attack. They probably have defensive, primarily signature-based systems already in place, from endpoint anti-virus to next-generation firewalls. Many are armed with endless amounts of log data, from firewalls, intrusion detection and protection systems, web-servers, application servers, and so on. However logs do not provide the complete picture and only connect events after the fact. The real security challenge lies in the rapid correlation and interpretation of seemingly unrelated network traffic events.
Even pre-set security alerts, intended to help security teams, can be distracting with false positives, or simply overwhelming with less important alarms. It can be difficult to rapidly identify any given alert as a component of an attack that matters, and prioritise accordingly. The lack of context and the lack of genuine “situational awareness” can make it extremely challenging to spot a real threat solely from the discrete point system data provided by logs and alerts; it is very hard to see the big picture. Constantly reacting to alerts, especially not knowing with confidence their significance or whether the mitigation measures in place are truly effective creates a sense of not being in control.
Today’s advanced attacks aren’t isolated events, nor are they static. They are multistage campaigns that probe a target’s defences, study security reactions and tailor their techniques to trick their targets. It is a bit like a “dummy runner” in rugby, or they simply work around an organisation’s defences. Advanced attacks are designed to be ‘stealthy’ and obfuscate their tracks. In many cases, alerts are just the tip of the iceberg, the significance of which is realised, if at all, long after the attackers have accomplished their goals.
Imagine a better way
Say an organisation knows they are under attack; they may even have some idea of attack vectors based on industry alerts or recent suspicious activity. They certainly have a good idea of their most valuable assets, or likely attack vectors, perhaps phishing related penetration of endpoints, or suspicious activity on active directory servers. What if they could actively hunt for malware and malicious behaviour within their network? What if it was possible to proactively check on these assets, actively seeking out infiltration within their network traffic?
CISOs need the ability to quickly scrutinise past data to ‘connect the dots’ over time. With more current knowledge of stealthy components or attack indicators accumulated, it is possible to ferret out Zero Day malware in old traffic.
Most organisations have a security information and event management (SIEM) system. However, SIEMs are not designed for this type of probing analysis; they are designed to react to pre-defined alerts. If they are triggered at all by stealthy malware, alerts do not give them the full picture, the true threats represented by alerts can get lost in the noise, making it hard to prioritise. Besides with incomplete intelligence, CSOs are constantly reacting to events, playing a game of catch-up. A more proactive response is required for sure.”
Security analytics is the proactive analysis of large network data sets in real or near real-time. It allows CSOs to pre-emptively seek out and neutralise potential threats by examining the full scope and depth of network communications as embodied in full packet captures. Armed with security intelligence, awareness of each unique environment and expected network behaviour, security analytics puts enterprise security professionals in a position to get out in front of security events and gain real control.
Powerful, rapid visualisations allow security professionals to proactively look for malicious behaviour and identify Indicators of Compromise (IoC) by quickly interacting with and intelligently sifting through network traffic data. It is possible to quickly and easily “zoom in and out” from years to seconds of specific network activity, on the same screen with a click of a mouse.
Read more: Winning users’ hearts and minds
Since advanced attacks are designed as long-running campaigns, CSOs need the ability to quickly scrutinise past data to ‘connect the dots’ over time. With more current knowledge of stealthy components or attack indicators accumulated, it is possible to ferret out Zero Day malware in old traffic. This is critical for identifying current risk, where malware might have moved laterally, packages might have been dropped along the way and most importantly, how do they get out in front of the threat?
Strengthen your security posture and incident response
Adding a proactive element to their security strategy can also help to strengthen New Zealand organisations’ security posture over time and make it more difficult for advanced attackers that tend to return again and again. They can implement far more down-to-earth risk assessment based on actual traffic data, as well as enhanced investigative and forensic capabilities, which can improve their incident response (IR) procedures.
Every time an actual attack is discovered while it is in progress, security teams learn what areas they are targeting, entry points used, techniques for lateral movement and how they are attempting to exfiltrate data they want.
Proactive security analytics is also a powerful risk assessment tool. As network traffic is better understood, including how it changes and evolves over time, CSOs will undoubtedly spot vulnerabilities. This ongoing, positive feedback loop will also help them to respond faster and protect themselves from future attacks.
Staying on the front foot with their security strategy allows CSOs to regain some measure of control over their networks, because their actions are more effective and they feel more confident. So why have a purely defensive strategy based on incomplete and post facto alerts? If your organisation or team are under attack, why stay only on the defensive?"
Read more: Across the board
— Roark Pollock (@rpollock) May 22, 2015
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.