Formulating an attack-focused security plan

Read time 2min 10sec
Comments (0)
ITWeb Security Summit 2013

With expert insights, interactive workshops, valuable networking, sought-after SANS training, and practical solutions, the eighth annual ITWeb IT Security Summit is a must-attend event for every IT professional with a security mandate. Leading local and international experts will share the latest updates and analysis of trends, as well as offer practical advice on successful approaches to improved security and reduced breaches. For more information, click here.

Every network has vulnerabilities, but what matters most is what intruders are doing now, not what they could theoretically do. Therefore, businesses must find live intruders, contain and remediate them, and then address vulnerabilities.

These are the words of Richard Bejtlich, chief security officer at MANDIANT, who describes attack-focused security as another way of saying "threat-centric" security.

"You start by identifying how real intruders are already abusing your network. You don't start with 'vulnerability-centric' security, which focuses on finding vulnerabilities in the network."

Bejtlich will speak at ITWeb's 8th annual Security Summit, to be held from 7 to 9 May, at the Sandton Convention Centre.

His presentation, titled "Formulating an attack-focused security plan", will discuss how organisations can prioritise resources against the areas intruders are actively exploiting.

"No security program has sufficient resources to address all vulnerabilities. Vulnerability assessments find thousands of problems in live networks. Security teams can only address a fraction of those issues," he explains.

According to Bejtlich, the industry recognises that phishing, attacking applications on publicly facing servers, and guessing credentials or security questions are currently the most popular attack vectors.

"The disconnect comes from priorities being placed on various defensive measures. Many security problems centre on poor IT - asset management, configuration management, data management and suchlike. Too many organisations want to start 'pen testing' before they even know where their data sits."

To successfully formulate an attack-focused plan, Bejtlich recommends starting with an assessment to find live attackers on the network.

He advises that businesses use network, log and host-centric tools and processes, powered by reputable threat intelligence. Following this, containment and remediation measures should be devised and implemented.

"Once the intruder is disrupted, review how he managed to gain and maintain access, if that is what happened." He recommends thinking in terms of the cyber kill chain, or attack progression.

"Count and classify your intrusions per unit time, and measure the time elapsed from detection to containment," he says.

Finally, businesses should build a security program that focuses on driving down the number of incidents and the time required to deal with them.

For more information, and to register for the Security Summit, click here.

Login with
15 Aug
Be the first to comment
See also