5th April 2016 • James Para
Cyber-crime costs the global economy an estimated $445 billion dollars a year.
Faced with an emerging “hacker industry” and operating in an increasingly complex digital economy, it’s unsurprising that organisations are gradually investing more in Cyber Threat Intelligence.
In 2015, Gartner Inc. identified adaptive security architecture as one of the top ten trends in strategic technology for 2016. With organisations in a continuous state of compromise, there is a widespread demand for comprehensive and effective protection from advanced attacks. Traditional Intrusion Detection/Prevention Systems (IDS/IPS) struggle with distinguishing events and non-events, lacking the context needed to provide protection on business critical rules. As organisations continue to rely heavily on outdated, first generation tools which lack the context required to react and adapt in real time, they remain in a state of “continuous compromise”.
Whilst threats continue to increase, the time between published vulnerabilities and exploit code releases is becoming shorter and shorter.
“25% of vulnerabilities had exploit code available within one day of release, and 31% had exploit code available within six days.”Symantec Internet Threat Report, Volume XI
Concerning, but the real issues don’t stop with outsider attacks. The threats posed to organisations are compounded further when one considers the rise in insider attacks. According to 2015 data from user activity and behavior analysis specialist Spectorsoft,
“62% of security professionals saw a rise in insider attacks over the last 12 months.” Spectorsoft
With enterprise networks often filled with point solutions and security controls, facilitating the integration and correlation between controls is vital. As enterprise networks continue to grow in size all the time, generic intelligence based on aggregated source feeds is no longer an effective defence.
Combining IDS/IPS correlation engines and passive monitoring techniques results in a more comprehensive, targeted intelligence.
Companies need to focus on moving past NBAD (Network Behaviour Anomaly Detection) and embrace an evolved perspective on understanding behaviours – NBA (Network Behaviour Analysis). Through an established, comprehensive network baseline, organisations can monitor networks for deviations, and keep a close eye on traffic flow issues and data, network performance data and passive traffic analysis.
When organisations begin to monitor what systems are communicating and where these communications are coming from or going to, alongside their network performance data – including the single network management protocol and the QoS - they are able to leverage this information for security purposes. Spikes in VoIP network traffic, for instance, may indicate malware or DoS attacks.
Combining this information with passive traffic allows organisations to monitor for anomalies, inspect layer traffic and observe unique application behaviours to pinpoint operating platforms and identify potential vulnerabilities. Within adaptive security infrastructures, less time is spent on ruling out false positives – after analyzing passive traffic, threats are determined, impacted systems are scanned and then analysed in conjunction with vulnerability assessment data.
Put in its most basic framework, adaptive security works like this:
Trigger – something triggers the IPS alert
Analysis – targeted analysis checks the most recent results for the server which is under attack
Traffic – passive traffic indicates an anomaly, the server has attempted to communicate with unusual ports
Attack Identified – the additional information means it is easy to identify the attack e.g. a zero day attack from inside the network.
Once an adaptive infrastructure is set up, responses to security threats can become more pre-emptive. Through automated improvements, systems can begin to dynamically reduce operational overhead – responding to changing networks and threats to continuously tune tools and systems.
The main aim here is to develop an infrastructure which not only recognizes and identifies threats based on the context and traffic analysis, but does so in conjunction with vulnerability assessments in order to provide a real time picture of both attacks and their predicted impact.
Through integrating and forwarding threat intelligence in machine readable formats, enterprises are able to absorb and handle intelligence in large volumes. This enables them to redeploy scarce resources and limit surface attack vectors. Managing and monitoring incidents from singular consoles is a huge advantage for threat management infrastructures, and helps to ease administrative burdens.
As enterprise architecture continues to evolve, adaptive security is fast becoming essential – not just desirable. Whilst the risks continue to grow, the ways in which organisations elect to manage their intrusion systems will continue to play a bigger and bigger part in their ongoing security.
Explained much more in depth here: https://www.sans.org/reading-room/whitepapers/analyst/real-time-adaptive-security-34740
For more content like the above, as well as tech based industry news, views and jobs, please follow the Thatcher MCS company page.