Breach detection: Five fatal flaws and how to avoid them
When the Sarbanes-Oxley Act of 2002 was passed, it fell on corporate security teams to translate its requirements into technical controls. That threw the IT Security function into the deep end of the pool, and it has been sink or swim ever since.
The Sarbanes Oxley Act was the first of a wave of regulation focused on the integrity of IT systems, which led to compliance becoming Priority One for corporate security teams. Then came APTs and the ongoing parade of mega-breaches, which made cyber security Priority One for CEO’s and Boards, which triggered yet another major cultural and political shift as cyber security entered, and remained in the spotlight.
These days, it is not about defending a (non-existent) perimeter, but about protecting the organization’s attack surface, which has changed dramatically due to the cloud, mobility, BYOD, and other advances in corporate computing that have caused fundamental shifts in network architecture and operations.
Practically speaking, it means you need to monitor what is occurring inside the firewall just as much (if not more) than what’s “outside” trying to make its way in.
In theory, it’s a simple evolution, but especially given the accelerated pace in which security organizations have matured, it is not necessarily an easy transition to make. Not only has the threat landscape changed, but the required leadership, skills, tools and budget that is required for effective cyber security have been in a constant state of flux.
As a result, even in mature shops, lingering security practices based on the “moat and castle” model of defense persist. Practices based on flawed thinking or misconceptions, which if left unchecked, hinder fast detection and response.
Here are some of the ones we see the most:
Flaw #1: Fixation on penetration prevention
Solution: Shift to an “already compromised” mindset
With APTs more prominent than ever, it’s no longer about if a company gets breached, but when. With this in mind, organizations should evolve their security defense accordingly. Instead of focusing on preventing penetration, focus on the adversarial activity that is going on within your network. The good news is that you have an advantage; the majority of damage is usually done several months after penetration. Hackers tend to deploy ‘low and slow’ techniques and perform minimal actions per day in order to evade detection, better understand the organization and craft a foolproof roadmap to reach their true target.
Flaw #2: Accepting simple explanations
Solution: Always dig deeper
Security events are not caused by error or accident. Every piece of evidence should be over-analyzed and malicious intent must always be considered. Because security cannot know all adversarial activities, in a sense they are at a disadvantage; therefore, it is crucial for security teams to over-investigate what they can see in order to reveal other unknown and undetected connecting elements. Security teams must always assume they only see half the picture, working diligently to uncover the rest of the pieces of the puzzle.
Flaw #3: Fast remediation
Solution: Leverage the known
Instead of remediating isolated incidents as fast as possible, security should closely monitor the known to understand how it connects to other elements within their environment and strive to reveal the unknown. For example, an unknown malicious process can be revealed if it is connecting to the same IP address as a detected known malicious process. Moreover, when you reveal to the hackers which of their tools are easy to detect, hackers can purposely deploy, in excess, the known tools to distract and waste the defender’s time.
Flaw #4: Focusing on malware
Solution: Focus on the entire attack
Although detecting Malware is important, solutions that mainly focus on detecting isolated activity on individual endpoints are unable to properly combat complex hacking operations. Instead, employ a more holistic defense. Leverage automation – analytics and threat intelligence in particular – in order to gain context on the entire malicious operation, as opposed to just the code. Keep in mind that your adversary is a person (or people), – malware is one of their most powerful tools, but one of many in their tool kits.
Flaw #5: Letting false alerts get the best of you
Solution: Automate investigations
Because many security solutions produce a large amount of sporadic alerts (many false) with little context, security teams spend endless hours manually investigating and validating alerts produced by their solutions. This lengthy process significantly prolongs security teams from addressing the real question – is there a cyber-attack underway? Here’s another case where the proper use of automation can dramatically increase productivity as well as detection and response times, which results in less costly and damaging attacks. If there are budgetary constraints that prevent the proper use of automation to aid you in this process, quantify the value the investment you are asking the company to make.
Like many aspects of IT, breach detection is part art, part science. However, what distinguishes a good analyst from a great one is how they think. Avoiding these misconceptions enable security teams to approach breach detection much more strategically and make better use of the resources at their disposal.