Page 8 - CDM Cyber Warnings February 2014
P. 8
State-sponsored hacking, hacktivists, spyware, ransomware and Security intelligence is not about detecting single-event
organized cybercrime are concerns that security professionals anomalies, but recognizing a series of suspicious events that may
are all too familiar with. Over the past several years, it has grown be low priority on their own, but when tied together corroborate
increasingly apparent that it�s no longer a question of if you will that a truly concerning event is taking place. Achieving security
be hacked, but when. intelligence involves the combination of three important
elements:
Whether it�s customer data, employee data, or intellectual
property, every organization is storing information that is at risk
of being stolen. And because of the sophistication and rapidly
evolving nature of today�s attacks, perimeter defenses are no
longer adequate to protect enterprise networks.
Firewalls, IDS/IPS, VPN, endpoint security, and other
specialized products are still required to block the drive-by
attacks against known exploits, but we need additional
technology to recognize when someone has slipped by these
defenses using unreported vulnerabilities or other methods. For
example, according to the 2012 Verizon Data Breach report,
more than 75 percent of network intrusions exploited weak or
stolen credentials. How would you be able to detect an attack
when the hacker is using a valid credential inside your network�
1) A rich set of forensic data. Security intelligence is derived
from analyzing the log and audit data not limited to just security
Three Key Elements of Security Intelligence
devices, but across a wide array of network devices, systems, and
Organizations are increasingly looking for technology that can
application data. And since log data is not representative of all
recognize activities indicative of compromised users or hosts.
activity in the networking environment, it is essential to include
Unfortunately, when it comes to detecting attacks that have
technology that independently monitors activities on a host,
evaded traditional perimeter and point security products, there
such as file access, modifications, and moves, as well as process
are no malicious code signatures or known exploits that expose
and server monitoring. An organization should also understand
the breach. True breach detection requires analytical techniques
their assets and assess where sensitive data is stored and critical
capable of recognizing anomalous behavior or activity tied to a
applications operate, using independent monitoring to clearly
compromise or breach.
understand activity taking place on these assets. Similarly
independent monitoring of network traffic provides details
The concept of anomaly detection is not new, but has had limited
regarding application usage not normally captured in flow
efficacy in the past by being too one dimensional and lacking
records or firewall and IPS events.
the ability to corroborate events. For example, a legacy system
could detect a user authenticating for the first time to a
2) Real-time analytical techniques. Since not all data is the
production server and identify it as an anomaly. However,
same, it is necessary to apply multiple types of analytical
without any additional context it is incapable of calculating the
techniques to all data to look for variations from statistical and
actual risk associated with the activity.
behavioral baselines, as well as anomalous behavior patterns
correlated across the data. This includes understanding the rate
This type of anomaly would typically be discarded by a security
of activities (on average, how many daily connections are created
analyst already inundated with too many similar low priority
to the web server� How many files do users typically access on
events. However, if the security analyst knew that not only had
a particular server�) through counts and histograms as well as
this user never accessed this system before, but had also
dynamic lists (what locations do people authenticate from on
authenticated to the VPN from a country never seen before, the
the VPN� What processes are running on production database
potential risk is escalated.
servers�). These activities need to be corroborated in real-time
to recognize when multiple anomalies, patterns, and correlations
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 8
