Subscribe
  • Home
  • /
  • Security
  • /
  • Connecting the dots: reactionary, respond-to-alerts based security posture will not protect from advanced th...

Connecting the dots: reactionary, respond-to-alerts based security posture will not protect from advanced threats

Issued by icomm for Arbor Networks
Johannesburg, 24 Jun 2016

"The news is not good. The detection deficit is getting worse," says Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks. He is looking at stats in the 2016 Verizon Data Breach Investigation Report (DBIR) report, which shows - in a straight line - that the difference in length of time between detecting an advanced attack and the time to compromise continues to grow.

According to an Arbor paper: "Connecting the Dots in Enterprise Security", advanced threats target a specific company, are designed to bypass traditional controls, and comprise a planned and orchestrated set of attack activities. For the enterprise security professional, business as usual is no longer a viable option; a purely reactionary, respond-to-alerts based security posture will not protect you from advanced threats.

"You need to be able to detect and identify real threats by 'connecting the dots', that is, place indicators or alerts into a contextual chain of events over time," the paper points out and also acknowledges that this is easier said than done for a security team of any size.

Arbor highlights: "Connecting the component dots of stealthy, multi-stage attack campaigns is even more challenging given that larger, more complex distributed networks increase vulnerable attack surfaces and make comprehensive visibility harder. Even with better visibility, without a new approach managing the increasing volumes of alerts is unsustainable: the negative effects of alert fatigue and false positives are well documented. The time (and resources) it takes to investigate priority alerts and false positives will wear down the best security teams."

Hamman says there is a misconception in the market that to "connect the dots" requires large security teams. "The reality is initiating and nurturing a hunting mindset can simply start with refocusing the right staff, empowering new skill sets and better aligned processes. The goal is to redirect some resources and augment your layered defence with a proactive component, to build in more sleuthing capabilities in your staff and support them with the right processes," he says.

Finding today's advanced threats demands new approaches, continues the paper, and adding to your security posture a proactive puzzle-solving capability to help mitigate threats can be done in incremental steps. Some common steps the paper mentions include:

* Reduce the number of tier two to three analysts working on security events, and have one to two analysts focus solely on hunting for threats in areas of their network/business.
* Look to enable in-house hunting skill sets with selective training. Individuals and teams of all sizes are looking for both new and more effective models, where their day is more productive and they can make forward progress against advanced attacks.
* If you don't have one already, set up a cyber intelligence team. Start by aggregating alerts from law enforcement, vendors, Intelligence/IR firms, and so on. This alone will help shift the organisational focus from looking at potential indicators of compromise to indicators of attack.
* Look to set up new alert workflows and investigatory processes that include this intelligence passed to hunting-focused analysts. Change focus by creating a threat and risk-based view of assets within the network. For example for retailers: certain POS locations during Black Friday to Valentine's Day, or highlight "blind spots" where perimeter devices and end-user controls may be more limited, such as at subsidiary or remote locations.
* Consider outsourcing an SOC altogether, and retaining a set of tier three analysts with both core "responding" and hunting skills. If you outsource, be sure to retain a set of tier three analysts with both core "responding" and hunting skills to investigate critical issues/events passed from the SOC.

"Organisations of any size are perfectly capable of proactively connecting the dots. Arbor has seen how small teams, even a sole actor responsible for policing the activities of an outsourced NOC or SOC, can transform their organisation's approach to security. Threats are not partial to demographic, country or industry - you have to remain on high alert 24/7," adds Hamman.

Share

Arbor Networks

Arbor Networks, the security division of NETSCOUT, helps secure the world's largest enterprise and service provider networks from DDOS attacks and advanced threats. Arbor is the world's leading provider of DDOS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research. Arbor's advanced threat solutions deliver complete network visibility through a combination of packet capture and NetFlow technology, enabling the rapid detection and mitigation of malware and malicious insiders. Arbor also delivers market-leading analytics for dynamic incident response, historical analysis, visualisation and forensics. Arbor strives to be a "force multiplier", making network and security teams the experts. Its goal is to provide a richer picture into networks and more security context so customers can solve problems faster and reduce the risks to their business.

To learn more about Arbor products and services, please follow the company on Twitter @ArborNetworks. Arbor's research, analysis and insight, together with data from the ATLAS global threat intelligence system, can be found at the ATLAS Threat Portal.

Editorial contacts

Debbie Sielemann
icomm
(+27) 082 414 4633
debbie@pr.co.za
Chantel Hamman
Arbor Networks
(+27) 011 202 8400
ITchantel.hamman@nu.co.za