Information security is in the early stages of a tectonic shift. As a result, there are several “disconnects” developing that organizations should take into consideration while crafting a modern security posture.
Below are four key areas of disconnect I currently see:
Disconnect No. 1: Static Indicators of Compromise
Static indicators of compromise (signatures, hashes, domains, etc.) are trivial for malicious actors to change and are only helpful for finding yesterday’s known malware. Despite this, most security solutions still rely on static indicators of compromise for detection and protection.
Highly effective and difficult-to-evade detection should derive from the relationships and patterns among events, not just from static indicators. Doing so forces your adversary to change tactics and procedures. For attackers, that’s much more costly and time-consuming than merely re-encoding an exploit to change its hash or using a domain generation algorithm to evade detection.
In a mature security organization, today’s response helps inform tomorrow’s detection and prevention. Invest in technologies that enable you to quickly determine how something was allowed to happen (root cause), and then easily turn those patterns into new detection alerts. And, most importantly, fix the root cause so you’re better protected the next time around. Effective security process is a virtuous cycle.
True prevention should begin by differentiating between (1) what’s trusted and (2) “everything else.” You then treat those two categories differently. Unfortunately, most security products do the exact opposite—assume everything is trusted unless it looks bad. But the “bad” is always morphing, and unless it’s at the county fair, it’s really no fun playing Whac-A-Mole.
Disconnect No. 2: Alert Fatigue
Seemingly, every day a new vendor pops up with the promise of increased detection, yet most organizations already have alert fatigue from their existing security stack.
Invest in solutions that help lower the number of actionable alerts by empowering you to quickly invalidate false alarms, and reduce the amount of time it takes to respond to legitimate concerns. Otherwise, additional detection is merely piling on to the existing backlog, making it even easier to miss the signal among the noise.
Collect and correlate information from at least two different vantage points, e.g., the network perimeter and the host itself, in order to get a 360-degree view of activity as well as independent confirmation from multiple sources. Avoid over-investing in detection and under-investing in response.
While traditional computer forensics still has a purpose, it is archaic for modern incident response. It no longer makes sense to go searching for a needle in a haystack, bit-by-bit, one cloned hard drive at a time.
Integration into your existing security stack is the key to connecting the dots and reducing time to resolution. Ensure that the security data collected is in your control (not sent up to a third-party black box in the cloud). Also ensure that the solutions you implement include a flexible API, so everything in your security stack works in concert, not as a collection of silos.
Disconnect No. 3: Attackers “Living Off the Land”
Most security solutions are only focused on finding and stopping “malware” from “outside attackers.” Yet, there is so much more to pay attention to.
This approach turns a blind eye to malicious actors that have already infiltrated your network and are now “living off the land,” using the very same software and credentials as your employees. Because this activity usually goes untracked and unnoticed, average dwell time is measured in months or years, and incidents are often discovered not by the organization itself but by an outside party.
Similarly, because they’re fixated on “intrusions,” most security solutions ignore insider or employee/contractor activity, despite it being a common threat vector. A simple example of this is only analyzing activity as it passes through network ingress and egress points, even though there are many obvious ways for files to reach a workstation or server without ever having traveled through the corporate perimeter.
Most security products only catalog events they think are suspicious or malicious. This is a binary proposition—the tool either stops and reports the execution, or it lets it run and doesn’t track it at all. There’s an old saying in security: “You don’t always know that something is interesting until after the fact.” That adage happens to be true. The black box flight recorder on an airplane doesn’t choose what data is important to collect and what data to ignore—it records everything, and so should your security tools.
Good security policies have an “acceptable use” clause that prohibits employees from running unauthorized (but otherwise benign) software such as remote access tools, cloud file sharing, FTP servers, peer-to-peer apps, non-standard browsers, and unsanctioned instant messaging programs. Yet without the technical controls to enforce the written policy, employees still do what they want, and operations has little power to stop them. Invest in security solutions that offer centralized control over what applications users are allowed to run, and visibility into what those applications are doing.
Disconnect No. 4: The Insufficiency of AV
And now for one final disconnect that doesn’t need much elaboration. Everyone acknowledges that antivirus is only effective against commodity “nuisance” malware and is insufficient against targeted attacks. Despite this, most companies still don’t have anything more advanced than antivirus on their desktops, laptops and servers. Therein lies the greatest disconnect of them all, but this will certainly change in the coming months and years.