More sophisticated cyber-security threats are changing the threat detection landscape, and requiring companies to think differently about how they look for incidents.
One of the biggest changes is an industrialization of hacking. Groups now have offices and cubicles; workers have weekends and take vacation time. Gone are the days of scrawny teenagers in a dark basement, looking to impress their girlfriends.
“As hackers start to realize the potential payoff that’s out there, they start to professionalize and deploy classic entrepreneurial maneuvers, like land grabs,” said Martin Roesch, vice president and chief architect of Cisco’s (News - Alert) Security Business Group, during an RSA 2015 keynote. “The increasing value of the data online is a big target, and the skills required and barriers to entry for hacking are low. Our adversaries are highly motivated. Whether its nation-state adversaries, money-motivated criminals or hacktivists, the industrialization of hacking has turned out to be a real thing. And we’re seeing ever more voracious attackers executing more daring attacks, and are getting away with a bigger haul.”
Independent research from Proofpoint (News - Alert) bears this out: In the past year, there’s been a staggering 90 percent reduction in consumer phishing lures. Instead, phishes tell the victim that he or she has a voicemail; that he or she has an e-fax; or that there’s been an issue with a wire transfer. In contrast, the top three phishing lures last year were: social networking-based; financial warnings about banking problems; and order confirmations.
The company’s Human Factor Threat Report also found that messages are also now typically delivered on Tuesdays and Thursdays around 10 a.m. (as opposed to early in the morning before work), and that the number of middle managers being targeted has doubled.
“If you can compromise middle management, they have access to a lot of critical systems, including wire transfer, patient databases, or even purchase and procurement mechanisms,” said Kevin Epstein, vice president of advanced security and governance at Proofpoint. “Consider that credit card information is worth 10 times less than personal information about customers or patients.”
There are new types of attacks appearing as well. Adi Shamir, a co-creator of the RSA (News - Alert) cryptography algorithm (he’s the “S” in the name), said that the Internet of things (IoT), while a big buzzword, represents a whole new front opening up in the threat landscape.
For instance, his team took a look at automated smart lighting systems, which use unsecured Wi-Fi to communicate information between nodes and with the server. Typically, the passwords used in such systems are passed on as unencrypted traffic—meaning that any halfway decent hacker could easily obtain the credentials. And from there, using his or her access to lighting control, can proceed to exfiltrate data in an ingenious way.
“You can control the intensity of the light, which allows us to rapidly change the amount of light coming from the bulbs from 100 percent to 95 percent,” he explained, on stage at RSA 2015 for a cryptographer’s panel. “The human eye doesn’t notice it. But we can make the Wi-Fi system inside the secure perimeter leak information by flickering rapidly the amount of light coming from the bulbs—and anyone outside can gain information that way.”
Meanwhile, advanced persistent threats (APTs) are a rising scourge—and are becoming more effective. Security researchers at Cisco have found that 75 percent of all attacks only take minutes to begin stealing data, and more than 50 percent of attacks persist for months or years before they are discovered.
All of this in turn is requiring a change in how threat detection must work to be viable.
A New Era for Threat Detection
For modern threat detection to be effective, context and visibility are everything.
"Today’s advanced threat detection takes various behavioral approaches to illuminating malware. Instead of trying to detect malware based on what it is (signature based), behavioral malware detection relies on what the malware does," said Frank Dickson, research director at Frost & Sullivan (News - Alert). “However, detection is only half the battle; the other half requires blocking and, if necessary, remediating the affected systems. Without a system capable of automated response to quickly react to threats once discovered, companies are effectively an open window for data exfiltration or malware propagation on their networks. Data exfiltration is measured in minutes; the metric for response needs to be the same.”
Ideally, enterprises should have a way to gain holistic knowledge about their security environment.
Cisco’s Roesch advocates the creation of an event management platform that can combine intelligence from various vendor platforms, like intrusion protection, sandboxing, antivirus and other endpoint security systems and so on.
“Security technologies have a lot of awareness about their local environment,” said Roesch. “What if we could build a platform to bring all of this together in one place? The ability to export their data and externalize their data into one central visibility platform, and then have a single map of what’s running in my network would be invaluable.”
He added, “Contextualizing our security events to drive better control is important—what does this event mean?” he said. “I believe this is very doable, and what we see is that this approach is very powerful when deployed appropriately. These visibility engines need to get built.”
ForeScout Technologies is starting to take this approach with its ControlFabric platform. It recently announced integrations with several advanced threat detection (ATD) solutions, including Bromium, Damballa, Invincea, and Palo Alto (News - Alert) Networks.
ATD solutions help protect organizations against targeted APTs and zero-day malware. By integrating with ForeScout CounterACT via the ControlFabric architecture, the joint solutions provide real-time visibility and compliance management of devices on the network, effective response to APTs and zero-day threats.
“Combining CounterACT with leading ATD solutions such as those from Bromium, Damballa, Invincea and Palo Alto Networks allows customers to scan their network devices and give additional clues to determine the extent of infection, while also initiating action to prevent malware propagation and the likelihood of a data breach,” said Len Rosenberg, RVP of systems engineering at ForeScout. “Our ControlFabric integrations demonstrate ForeScout’s commitment to delivering holistic solutions that help customers derive the greatest benefit from their security investments and significantly improve their security postures.”
With real-time visibility to users, devices (including BYOD devices), systems and applications, IT organizations can centrally apply granular policies to understand their true security posture and to automatically respond to a wide variety of security issues.
Approaches like that can also be combined with other out-of-the-box thinking. For instance, the Turing test—pioneered by the great cryptographer Alan Turing—in theory allows an individual to distinguish whether he or she is talking to a human or a machine. RSA’s Shamir postulates that humans need a similar test to identify bot-based attackers, for instance.