Hackers are no longer focused on what was traditionally deemed to be their destination – the perimeter of the enterprise. They’re now focused on the journey itself, leveraging an array of attack vectors, taking endless form-factors, launching attacks over time, and cleverly hiding the leakage of data.
The reason that many of them are successful, is that most security tools today focus on prevention only – controlling access, detecting, and blocking, all at the point of entry. Typically, incoming files will be scanned only once, at an initial point in time, to determine if they’re malicious.
In order to detect advanced threats, and breach activity, more effectively, security methods can’t just focus on detection and prevention but, must also include the ability to mitigate the impact once an attacker has got inside. Organisations need to look at their security model holistically and gain continuous protection and visibility along the entire journey – from point of entry, through propagation, and post-infection remediation.
To do this, we need a security model that combines a big data architecture with a continuous capability. Only then, can we overcome the limitations of traditional point-in-time detection and response technologies.
In this model, network and process-level telemetry data is continuously collected across all sources, while it is happening, so it is always up-to-date, when it is needed. Analysis is layered to work in concert, eliminating impact to control points and delivering advanced levels of detection over an extended period of time. And, analysis is more than just event enumeration and correlation; it also involves weaving telemetry data together, for greater insights into what is happening across the environment. Tapping into a broader community of users, global intelligence is continuously updated and shared immediately, and correlated with local data, for even more informed decision-making.
A continuous approach, together with big data analytics, enables transformative innovation in the battle against advanced threats. For example:
1. Detection that moves beyond point-in-time. A continuous approach enables detection to become more effective, efficient, and pervasive. Behavioural detection methods, like sandboxing, serve as inputs for continuous analysis and correlation. Activity is captured, as it unfolds, and intelligence is shared across detection engines and control points.
2. Monitoring that enables attack chain weaving. Retrospection, the ability to go back in time to monitor files, process, and communication against the latest intelligence, and then weave that information together to create a lineage of activity, provides unprecedented insights into an attack as it happens.
3. Automated, advanced analytics that look at behaviours over time. Combining big data analytics and continuous capabilities to identify patterns and Indicators of Compromises (IoCs) as they emerge, enables security teams to focus their efforts on the threats that matter most.
4. Investigations that are more targeted, fast and effective. Transforming investigation into a focused hunt for threats, based on actual events and IoCs, gives security teams a fast and effective way to understand and scope attacks.
5. Containment that is swift. With the level of visibility the continuous approach provides, security teams can identify specific root-causes and shut down all points of compromise and infection gateways simultaneously, to prevent lateral movement of an attacker and, ultimately, break the attack chain.
In this model, detection and response are no longer separate disciplines or processes but, an extension of the same objective: to stop advanced threats. Going beyond traditional point-in-time methodologies, detection and response capabilities are continuous and integrated. It’s what’s required for advanced threat detection and response that’s focused on the journey, not just the destination.
Sean Newman, Security Strategist, Sourcefire, now part of Cisco