This guest blog post is by Jason Matlof, Executive Vice President, LightCyber. We thank LightCyber for being a sponsor.
Your Current Defenses Aren’t Good Enough
Traditional security technologies are no longer able to prevent access to a target network. Premera, Anthem, Target, and Home Depot are high-profile examples of successful, determined attackers. Post-incident surveys from Verizon and PwC confirm that 77% of organizations were breached last year, that the average attack persists for about seven months, and that external parties discover most breaches – not the victim/target.
The next generation of security must identify and alert on attacks inside the perimeter to manage business risk.
Hunting for targeted attackers by searching for malware, blacklisted domains, and other types of technical artifacts has limited effectiveness. Existing threat prevention approaches look for breach activity in the wrong places or result in floods of false alerts.
The Solution: Focus on the Attacker Behavior
Certain operational behaviors are necessary for a targeted breach to be successful. For example, when an intruder lands inside the network perimeter, the first step is to explore the network, understand its topology, and look for vulnerable systems. Next, “lateral movement” inside the network aims to establish a greater foothold in the network and ultimately access valuable assets.
The technology challenge in behavioral anomaly detection is to distinguish normal activities that look similar to those that are truly malicious. The basic process is to profile all user and device network activity to create a behavioral profile for monitoring and alerting.
Post-intrusion behaviors of reconnaissance and lateral movement can be recognized by LightCyber and associated to specific hosts. LightCyber will then interrogate the suspect hosts for anomalous files or processes before throwing an alert. This increases true positives and provides detailed actions for incident responders as an entry point threat response.
This example highlights how to move beyond the exclusive mindset focused on “artifact-based” threat prevention and invest in new detection technologies with behavioral profiling to detect active attacks that have circumvented the threat prevention infrastructure.
Hooked On Technical Artifacts
Existing threat prevention systems are still needed but not sufficient to find targeted or persistent attackers. Anti-virus, intrusion detection, sandboxing and other technologies look for static technical artifacts on hosts or in the network using pattern matching or heuristics and generate unacceptably high false negative rates. Statically defined artifacts such as file signatures, blacklisted domains, protocol anomalies, and other indicators of compromise are easily bypassed. Persistent attacks can always design a new attack methodology that will circumvent detection by these static attack definitions, and the “dark web” has services that provide automated testing against known vendor technology.
Attackers are evolving malware so that real targeted attacks are often missed in the noise. For example, blacklisted domain lists are often used to detect exfiltration activities but will miss targeted attackers that are smart enough to stay ahead by regularly employing new domains. Another common tactic is to embed C&C signals within Twitter or Facebook messaging, which will circumvent detection via domain blacklists and result in false negatives.
A Flood Of Alerts
Perhaps the largest single problem in breach detection is floods of alerts. Everyone knows that legacy threat prevention systems produce high rates of false positives for detected events that never result in a successful intrusion.
Security analytics platforms (e.g., SIEM, forensics, etc.) scour massive data sets and generate alerts through event correlation and threshold algorithms, but have high false positive rates. Teams of experienced security analysts, reviewing hundreds or thousands of alerts per day make it unlikely to see the one that may be genuine criminal activity
Alert triage is hard, and, over time, produces an operational cynicism that compounds spotting a real breach. It’s similar to the car alarm problem, where a car alarm going off used to attract a sense of extreme urgency, but today no notices.
To learn more about how to quickly and accurately detect an active breach on your network and greatly boost the operational efficiency of your security team, visit LightCyber for access to white papers, demos, and additional information.