Today, the typical method of approaching IT security is based on the assumption that an attacker will break into a network by exploiting a software vulnerability, either at the application or operating system level.
Traditional host and network-based intrusion detection and prevention systems are deployed to detect the exploitation of these vulnerabilities, with a heavy reliance on digital signatures.
The vulnerability-centric approach looks almost exclusively at ingress (inbound) network traffic and pays little attention to egress (outbound) and lateral movement (internal) network traffic.
The vulnerability-centric view of threats is universal, i.e. everyone is attacked with the same exploits. Further, attacks are analyzed in a vacuum relying very little on threat intelligence and human analysis. Much of the post-detection automation is log management oriented, with little to no correlation of data from various sources (event logs, application logs, syslog, etc.).
While this approach has been successful in the past and is the model for today’s compliance standards (i.e. PCI), it falls far short of reducing the risk of exploitation by today’s threat actors. We know that prevention alone will eventually fail, as threat actors will persistently use different tools, tactics and procedures to execute attacks.
Despite an organization having the best tools for detection and prevention, eventually, a motivated attacker will find its way into your network, either via social engineering techniques and/or a zero-day exploit, for which there is no signature available for detection.
Once an organization accepts that it will eventually be compromised, however, it can shift resources away from purely preventative measures to a more threat-centric approach, which includes a balanced focus on collection, detection, and analysis.
The threat-centric approach will entail performing both cost and risk analysis to determine whether to attempt in-house security or hire outside experts.
Collection includes defining where the greatest risk exists in a particular organization, identifying threats to organizations goals, identifying relevant data sources and refining techniques for the collection of data.
In the traditional vulnerability-centric approach, this collection is typically done in an unfocused manner and not tied to detection goals. The tendency has been to overcompensate and collect too much data, which makes it more difficult to go back and review for indicators of attack (IoA) or indicators of compromise (IoC).
Detection techniques must be threat-centric as well. At the host level, this means looking for operating system behavior changes and will include process creation, network activity, registry access and creation/deletion/renaming of critical files and memory analysis.
At the network level, that means looking at both egress traffic and traffic between computers. Changes or deviations from normal traffic should be cause for investigation. Simply collecting data from all sources and storing them in a central repository is no longer enough.
Analytics must correlate data from these various sources to glean information on indicators of attack or compromise. Security Information and Event Management (SIEM) applications will utilize this host and network data to do detection, based upon correlated events.
Analysis occurs when a human interprets and investigates alert data. This involves gathering investigative data from other sources, researching open source intelligence related to the type of alerts generated by the detection mechanism and performing research related to any potentially compromised hosts.
Expertise in packet analysis, host and network forensics and malware analysis is crucial to this effort. This phase is typically the most time consuming but is essential to determining whether the analyzed event needs to be escalated to the classification of incident, whereupon incident response measures can commence. The lessons learned from the detection and analysis phase help to further refine and improve the collection strategies of the organization.
Challenges to implementing the threat-centric approach
This threat-centric approach, while far more effective in reducing risk of data loss to the organization, is not without challenges, the two most notable being skills and cost.
This type of approach requires a dedicated 24x7x365 security operation center staffed by analysts with advanced security skills.
Expertise is also needed to formalize procedures for creating detection signatures based on other network events and threat intelligence research. This expertise also involves the ability to view various data sources manually for IoA and IoC rather than relying on automated detection tools.
Finding this mid-to-senior-level security expertise is not only challenging, it’s expensive. Factor in the tools needed to support a 24x7x365 security operations center and costs escalate even further.
The threat-centric approach is essential to combating today’s — and tomorrow’s — security threats. Organizations can no longer exclusively rely on vulnerability-centric techniques and will need to do a cost/risk analysis to determine how much or how little to spend on each.
In many cases, especially in cloud deployments, it may make more sense to outsource this work to a managed security services provider, which almost always has more human expertise, not to mention the ability to invest in the technology needed to compliment the personnel and processes needed to proactively detect threats.
Rackspace Managed Security offers a combination of best-of-breed security solutions inside a security operations center staffed with industry-leading experts who provide 24x7x365 active defense for customer security environments.
Visit us to find out more about how we can help you protect your business.