Detecting The Covert

Security Through Intelligence

By John Williams, Product Manager, Node4

The business has always had to protect its assets. Fifty years ago it would have been tall walls of bricks and mortar, maybe a little razor-wire and issuing identity cards to employees, possibly a friendly security attendant on the door.

Today the perimeters have blurred, the threat frontiers increased and the volume of localized criminals has expanded to include miscreants from any and every country in the world.

Of course this expansion is due to the rise of communications technology and the surge of eCommerce and the Internet, the borderless digital world, but it is still a shock to see a threat map from the IT security manufacturer, Fortinet, which shows, with regularity, live attacks from source to destination in such graphical detail.

This truly brings home the idea that we are a single global economy and borderless from an information security perspective. If it is not enough that the volume of perps has increased, the methods for ingress has also expanded exponentially. Not only are there the criminal groups we also have to take foreign governments and political hacktivists into account.

We are left with a fight in which we have no visibility of those bent against us and who use weapons and methodologies which are constantly changing and which we are generally ill-equipped to flex our defenses to meet their attacks.

It is no wonder that over 85% of companies have no idea that their IT environments have been breached until weeks or even months have passed. The cost of being breached is also increasing; a year-old study from the Ponemon Institute which analyzed the cost of data breaches in the UK concluded that £2.37 million is the average total cost of a data breach which was a 7% increase in cost over 2013 to 2014.

The average cost per lost or stolen record was £104 which was a 9% gain over previous years. Malicious or criminal attacks were primarily responsible for the root causes of these breaches accounting for 49% of breaches, 23% involved system glitches and business process failures and 28% were from human error or employee negligence.

TARGETS
You may be forgiven in assuming that many of the companies targeted by cybercriminals are either large corporate companies or companies with a business model which involves a high degree of eCommerce. This is not the case, in fact, SME businesses who have little eCommerce exposure are more likely to be targeted than larger corporate business. The reasons for this are simple and logical; smaller businesses do not have the associated larger budgets to spend on security technology or services and they also do not have the in-house expertise to manage and interpret the threats and methodologies criminals use to infiltrate business systems.

Smaller companies who service larger corporates are more likely to be targeted due to their association and interconnectivity. There is the classic example from 2013 of the American retailer Target who suffered one of the largest data breaches so far, (which is estimated to have cost the company $252 million), the breach emanating from one of the companies air conditioning providers who had network access to monitor HVCA activity on chillers.

This associated company was targeted as a result of the nature of their association with larger companies. The forensic analysis concluded that Target had been breached for over 12 months before any data was exfiltrated. One of the most telling judgments against the company was that Target failed to employ reasonable and appropriate security measures to protect personal information.

So what are “reasonable and appropriate security measures”? Companies generally put into place a series of important stock defenses in order to counter the “general” threat of hackers. These usually amount to; a firewall, email screening or filtering, web filtering, VPN technology for remote access, Anti-Virus/Malware for end-point protection.

Ecommerce organizations such as Target might deploy encryption for credit card information and some form of Intruder Detection System (IDS) and Intruder Protection System (IPS).

Some form of Data Leak Prevention (DLP) where files have a unique digital signature which is prevented from leaving the system it resides in. As we list the security systems needed here the growing questions are around the cost, management, maintenance, and sheer manpower to interpret and utilize these disparate systems.

THREATS
Security comes from intelligence and the divination of threats that are as yet unseen, which covertly remain undetected.

In February 2002 the United States Secretary of Defence, Donald Rumsfeld, famously said “Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know.

We also know there are known unknowns; that is to say, we know there are some things we do not know.

But there are also unknown unknowns – the ones we don’t know we don’t know.” Although Rumsfeld was heavily lampooned in the press and criticized at the time for the statement which was initially seen as being nonsense, careful analysis of the statement reveals that most scientific research and investigation is based on investigating the known unknowns.

KNOWN UNKNOWNS

• We filter our incoming traffic by looking for what we know about the unknown
• We look for signatures within virus content and malware and exclude them with our anti-virus systems.
• We search for keywords within the email and source addresses against a blacklist either globally or locally held.
• We can filter for spam, and other inappropriate material, again using whitelists and blacklists and also filter web content for employees based on departmental requirements and time allocation.
• We block ports on firewalls and open others for incoming or outgoing traffic.

However, underlying this thorough inspection is all the other traffic our systems have acknowledged as acceptable – that traffic is either conforming to the rules we have devised or that traffic falls out of the scope of our rules because we have set rules without all the permutations in place. These are the unknowns that we know are abroad and that in order to quantify them as a risk we need to identify them first.

The attack surface for many companies is expanding and entry points into the heart of the network becoming numerous. We have to approach security from a zero-trust perspective, treating user systems on the inside with equal skepticism to those on the outside. Network confidentiality, availability, and integrity have not been treated equally by IT managers.

SLA’s have traditionally been built around availability rather than confidentiality which needs to change. SLA’s should revolve around the data rather than the infrastructure. A recent Forrester report detailed that over 66% of data breaches are not identified by the organizations that are breached but by third-party companies.

Of course, we absolutely do need the anti-virus, firewalls, and content management systems; these form the foundations of our defense against the rising flood or targeted and drive-by incursions.

These defenses need to extend to the various end-points of the network, inside and out. It is not an impossible task to garner all the traffic on a network, what is tricky is to analyze the information and understand the risk each data packet poses.

Security Event and Incident Management (SEIM) technology is a large portion of the answer to this problem, but it is not a silver bullet. SEIM produces a vast amount of information about the way traffic behaves within the network and can indicate that systems are in the process of being compromised or at least the behavior is not best practice.

SEIM will also point out exposures on the systems and indicate the fixes needed to patch those vulnerabilities.

Two difficulties with SEIM are with the volume and format of the information, the vast amount of information generated by alerts can be overwhelming, it is akin to opening the floodgates for the first time and the torrent of raw information can be overwhelming.

Coupled with this flood is the format of information and the level of understanding needed to interpret the alert and follow through to investigate legitimacy.

Many SEIM solutions are implemented on the basis that from a pool of alerts customers have the scope and resources to perform daily analysis and follow up on the top alerts. This may be the case where large businesses have both budget and resource for in-house IT expertise but many SMEs do not. It is the SME size of organization which needs knowledge of the known unknowns.

Many companies see this type of analysis as a single instance but the reality is that security is a moving feast which requires constant revisiting.

These types of services need to be coupled with further detection and analysis such as penetration testing and external scanning. Intelligence from both sides of the firewall is required in order to fully understand the risks and mitigate against them.

CONCLUSION

• Security is better served when we can know the unknown – security through intelligence
• Treat all systems with zero trusts and focus on the data.
• There is a need to consistently test, review and repair as a regular cycle.
• Employee education

About The Author
John Williams is Product Manager (Security Services) at Node4 and has over 30 years’ experience in the IT and security industry. Prior to joining Node4 in 2014, John worked for Peapod, one of the leading security resellers in the UK.John’s original journalism and writing career merged into the Desktop Publishing phenomenon of the 1980s when he bought his first 8088 processor, Xerox’s Ventura Publisher application, and set up Desktop Editorial Design in Birmingham. This was the start of a winding road dealing with early networking technologies and understanding how to combat the first boot sector viruses on floppies.