The Evolution of Threat Detection and Management

Transcription

1

2 Detection and Enterprises must understand the latest threat detection options to keep up with advanced cybercriminals who can bypass enterprise security defenses. An advanced persistent threat could be disastrous if targeted at entities of strategic value. Read this expert E-Guide to discover tips on how to tackle advanced persistent threats and be prepared for them. Michael Cobb, Application Security Cybercriminals of all persuasions now easily and routinely bypass existing enterprise security defenses by blending into the background noise of an organization s operations. These advanced attacks now take place over months and years, subverting traditional malware-detection products that only scan for known malware at a given point in time. For example, a newly discovered Trojan called APT.BaneChant uses multiple detection-evasion techniques, including masquerading as a legitimate process, monitoring mouse clicks to avoid sandbox analysis and performing multibyte XOR encryption to evade network-level binary extraction technology. It also uses fileless malicious code loaded directly into memory and escapes automated domain blacklisting by using redirection via URL shortening and dynamic DNS services. Such attacks are testing the limitations of existing security analytics tools, and the recent Mandiant Corp. APT1 report shows just how long-running and sophisticated cyberespionage campaigns have become. According to the 2013 Cyber Threat Readiness survey conducted by LogRhythm, an alarming 75% of respondents lack confidence in their ability to recognize key indicators of a breach. Many reported breaches have originally gone undetected with most discovered not by the in-house security team, but by a third party. Page 2 of 10

3 Detection and Enterprises can no longer rely solely on endpoints to stop this type of malware infection. Additional dynamic before-the-fact defenses must be implemented to effectively combat advanced attacks at all layers and identify behaviors not seen before. Thankfully many security vendors are starting to upgrade their intelligence-driven security products to counter the problem of today s advanced threats. Big data analytics One common approach is the incorporation of security big data analytics to aid the discovery of malicious activity hidden deep in the masses of an organization s network traffic. Big data is defined any type of data, structured and unstructured, that can provide incite in to network activity. Enterprises create colossal amounts of data: s, documents, social media data, audio, click streams, network traffic, and log files (both historical and realtime of files being accessed), registry changes made, and processes starting and stopping. Other system information, such as processor or memory utilization, can highlight unexpected changes in the status of a system while external threat intelligence feeds can further clarify what s normal or acceptable by not limiting analysis to just the data created by one organization. While this data has for years been stored in siloed repositories or disparately throughout an enterprise, the dire realities of today's attack landscape have fostered new demand for technology that can aggregate this data, analyze it quickly and develop clues pointing to advanced attacks that would otherwise go undetected. Although security information and event management (SIEM) products offer a central point of collection and monitoring for enterprise activity data, they have been mainly deployed in order to meet compliance reporting requirements, particularly with the merchant-focused Payment Card Industry Data Security Standard (PCI DSS). Few organizations actually use the technology s event-correlation capabilities and most products don t provide enough in-depth visibility to facilitate today s analytic needs. Vendors are seeking to address this with next-generation SIEM products that widen the scope and scale of data collection and real-time analysis so that diverse events can be put into context to find unusual activity. (It should be noted that Page 3 of 10

4 Detection and network behavioral anomaly detection (NBAD) products do provide this capability, but only at the network layer.) Real-time analysis using adaptive intelligence of this big data understanding what s normal in order to recognize what s abnormal can greatly improve the chances of recognizing the indicators of an advanced threat or breach from numerous attack vectors such as advanced persistent threats, fraud and malicious insiders. This pre-attack focus aims to keep a network ahead of attackers and pinpoint potential attack patterns, even if they are spread out over a period of time. There are plenty of new innovative products coming onto the market. The LogRhythm SIEM 2.0 platform now integrates with Rapid7 s Nexpose vulnerability management product to deliver data security analytics and unified risk assessment capabilities from within the LogRhythm console. IBM is combining security intelligence with big data using the IBM QRadar Security Intelligence and IBM Big Data Platforms to provide a comprehensive, integrated approach to real-time analytics across massive structured and unstructured data. The RSA Security Analytics product uses threat intelligence from the global security community and RSA FirstWatch to leverage what others have already uncovered and improve detection of malicious activity within an organization s big data. Scalability, powerful analytical tools, and support for heterogeneous event sources are the most important capabilities when assessing next-generation SIEM products, particularly when it comes to time-sensitive processes such as fraud detection, to ensure that they can process the vast amounts of diverse data. Certainly check that any shortlisted solution creates actionable intelligence based on business context so threats which pose the greatest risk are prioritized. Tools for visualizing and exploring big data are another key feature as they can quickly highlight infected devices and other hot spots. Sandboxing and whitelisting SIEM and big data are not the only options when it comes to mitigating today s threats. Sandboxing and whitelisting are other technologies worth Page 4 of 10

5 Detection and considering. Bit9 s whitelist security software is a trust-based solution using endpoint agents that allows administrators to specify software that can execute on desktops and laptops. A new feature is the ability to leverage the on-demand cloud-based Bit9 Software Reputation Service for highly accurate detection of suspicious malware and associated files. Sandboxing keeps applications separate so malicious code cannot transfer from one process to another. Any application or content that is unknown can be treated as untrusted and isolated in its own sandbox. McAfee like other security vendors has been acquiring relevant technologies to add to its product range. It plans to offer sandboxing technology in its epolicy Orchestrator suite in the second half of By running suspected malware in a sandbox, it can learn what effect it will have on an endpoint and automatically block future occurrences and remediate any already infected endpoints. Fortinet's FortiCloud cloud-based sandboxing service provides an online sandboxing portal to execute suspicious code in a virtual environment. Of course, security teams need to extend threat detection and protection to the mobile devices connecting to their networks, particularly as mobile device users are at least three times more likely to become victims of phishing attacks than desktop users. The Mobile Threat Network from Lookout Mobile Security delivers over-the-air protection to mobile users. Lookout is another product that uses a big data analysis approach to spotting malware and predicting where it will crop up next. Enterprises running their own app stores can also use the Lookout API to ensure that the apps offered are safe. The RSA FraudAction Anti Rogue App Service also detects any malicious or unauthorized mobile apps that infiltrate online app stores. Whichever advanced threat detection technology an organization deploys, its effectiveness will depend on those configuring and monitoring it. People are always going to a big part of any threat management program. Administrators must learn how to use emerging technology effectively so that it actually provides additional protection. Training such as Symantec s Cyber Threat Incident Response Training as well as the many indepth training courses provided by SANS and others will help staff Page 5 of 10

6 Detection and understand how to identify threats and respond and recover from malicious events. As with any new IT technology, it s important not to get caught up in vendors' marketing hype. Concentrating more on detection and response doesn t mean that point defense technologies like firewalls and antivirus are no longer relevant. Securing any network will still require documented policies and procedures as a foundation for success. Classification of assets and data is essential and remember that although threat management begins with threat identification, remediation is also an essential part of a successful threat management process. About the author: Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO certification. He is a noted security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. Anand Naik Advanced persistent threats (or APTs) have become the new catchphrase in the global infosec community. This tag refers to new age threats, orchestrated to persistently target a designated entity, as with worms like Stuxnet. An advanced persistent threat has a specific objective, and is executed by skilled, organized as well as well-funded operators. It s important to note that not all threats are advanced persistent threats. While threats may be advanced in nature with respect to the usage of vectors and range of exploited vulnerabilities, they may not be necessarily persistent. Within the anatomy of an attack from insertion and incubation to execution and exfiltration an advanced persistent threat tends to take much longer to infect target systems than other threats. It s estimated that it could have Page 6 of 10

7 Detection and taken Stuxnet around eight months to infiltrate Iran s uranium enrichment facility. Identifying weaknesses Organizations need to gain insight into which information assets are most likely to be targeted, as well as which need most protection if an environment is targeted by an advanced persistent threat. Within an environment, a particular application and its associated data might be operation critical. Asset awareness, thus, is the first step to defending against an advanced persistent threat. To illustrate this point, take a company s quarterly financial data. This data is critical in the period between the end of a quarter and before the quarterly results announcement. Beyond this time frame, this data diminishes in value. Advanced persistent threats are usually targeted against organizations having strategic value. Given the resources involved in launching a persistent attack, apart from the requisite expertise, APTs are usually backed by state agents and may be used for espionage or cyber-warfare. The impact of an advanced persistent threat on entities such as governments, or strategic installations such as power grids, research centers, oil platforms or arsenals, could be disastrous in terms of disruption of services and theft of classified information. An instance would be that of a private operator in power generation getting targeted by an advanced persistent threat. This could potentially bring entire grids and everything connected to them to a standstill. Tackling advanced persistent threats Any threat must be identified before it can be tackled. Organizations need to be aware not only of threats at large, but also threats specifically targeted at them. There are several things to consider: Comprehensive polices and governance mechanisms: The first line of defense against an advanced persistent threat is the information Page 7 of 10

8 Detection and security policy. Policies define access controls and the security posture of an enterprise. A robust information security policy has no substitute. Governance framework is another important aspect. Factors such as planning for remediation and eradication are an intrinsic part of defending against loss from an advanced persistent threat attack. These two factors are critical to address this problem in the long term. Note that the framework that applies to physical infrastructure may not work for a cloud or virtual setup. Correlation and threat management: Correlation mechanisms should be available in real time for threats to be identified as soon as a compromise is initiated. This is essential to leveraging any existing global information to protect against the advanced persistent threat entering your environment. Identifying the sources of your advanced persistent threat is an important factor. For example, if evidence suggests that assets in country X keep getting targeted by attacks originating from country Y, it makes sense to be extra cautious and screen all connections to and from that geographic location. Most major security vendors have global intelligence networks providing reputation databases and live feeds for emerging threats. However, unless there is a proper governance and correlation mechanism in place, a security feed would merely generate false positives. These two aspects in conjunction provide an effective means to leverage threat intelligence and provide actionable data against an advanced persistent threat, while reducing the incidence of false positives. There are also sophisticated technologies available from major vendors today that use various ways of analyzing data through layered defense mechanisms. Even in such cases, these technologies are only relevant if the environment in question has an existing correlation and threat management mechanism to be effective against an advanced persistent threat. Page 8 of 10

9 Detection and About the author: Anand Naik heads technology sales for Symantec in India and SAARC. He has over 17 years of experience in the IT industry, in the areas of strategic planning and consulting. Prior to Symantec, he was with IBM, heading a team of solutions architects. Page 9 of 10

10 Detection and Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 10 of 10