Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften Technologies
A 5 Point Plan For A New Security Strategy Proposed By Amit Yoran
Amit Yoran’s, RSA President provided an exceptional keynote speech at the RSA Conference which reinforced the Ziften philosophy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to provide robust defenses in a brand-new period of advanced cyber attacks. Current organization security techniques were slammed as being bogged down in the Dark Ages of cyber moats and castle walls by Yoran, it was described as an “impressive fail”, and he detailed his vision for the future with five bottom lines, and commentary from Ziften’s viewpoint has been included.
Stop Believing That Even Advanced Protections Suffice
” No matter how high or smart the walls, focused adversaries will find methods over, under, around, and through.”
A great deal of the previous, more sophisticated attacks did not employ malware as the main technique. Standard endpoint antivirus, firewalls and standard IPS were criticized by Yoran as examples of the Dark Ages. He stated that these traditional defenses could be easily scaled by experienced hackers and that they were largely inefficient. A signature based anti-virus system can only protect against formerly seen hazards, however hidden hazards are the most threatening to a company (considering that they are the most typical targeted attacks). Targeted cyber wrongdoers make use of malware only 50% of the time, perhaps just briefly, at the start of the attack. The attack artifacts are easily altered and not utilized ever again in targeted campaigns. The accumulation of short-term indicators of compromise and malware signatures in the billions in huge antivirus signature databases is a pointless defensive technique.
Embrace a Deep and Prevalent Level of Real Visibility Everywhere – from the Endpoint to the Cloud
“We require pervasive and true visibility into our business environments. You merely cannot do security today without the visibility of both constant complete packet capture and endpoint compromise evaluation visibility.”
This indicates continuous endpoint monitoring throughout the enterprise endpoint population for generic indicators of compromise (not stale attack artifacts) that show timeless methods, not fleeting hex string happenstance. And any company executing consistent complete packet capture (relatively expensive) can easily pay for endpoint threat assessment visibility (relatively inexpensive). The logging and auditing of endpoint process activity supplies a wealth of security insight using only elementary analytics methods. A targeted hacker counts on the relative opacity of endpoint user and system activity to cloak and hide any attacks – while real visibility provides a bright light.
Identity and Authentication Matter More than Ever
” In a world with no border and with less security anchor points, identity and authentication matter even more … At some point in [any effective attack] campaign, the abuse of identity is a stepping stone the opponents use to enforce their will.”
Making use of more powerful authentication fine, but it only produces bigger walls that are still not impenetrable. What the hacker does when they get over the wall is the most important thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for signs of abnormal user activity (insider attack or potential compromised credentials). Any activity that is observed that is different from normal patterns is potentially suspicious. One departure from normality does not make a case, however security analytics that triangulates several normality departures focuses security attention on the highest danger abnormalities for triage.
External Threat Intelligence Is A Core Capability
” There are incredible sources for the ideal threat intelligence … [which] must be machine-readable and automated for increased speed and leverage. It must be operationalized into your security program and tailored to your organization’s assets and interests so that analysts can quickly resolve the risks that pose the most risk.”
Many targeted attacks typically do not use readily signatured artifacts once again or recycle network addresses and C2 domains, but there is still value in risk intelligence feeds that aggregate prompt discoveries from millions of endpoint and network threat sensors. Here at Ziften we incorporate 3rd party risk feeds via the Ziften Knowledge Cloud, plus the exposure of Ziften discoveries into SIEM and other enterprise security and operations infrastructure through our Open Visibility ™ architecture. With the evolving of more machine-readable threat intelligence (MRTI) feeds, this ability will effectively grow.
Understand What Matters Most To Your Company And Exactly what Is Mission Critical
” You need to comprehend what matters to your organization and what is mission critical. You need to … defend exactly what’s important and protect it with everything you have.”
This is the case for risk driven analytics and instrumentation that focuses security attention and action on areas of highest business threat exposure. Yoran advocates that asset worth prioritization is only one side of business risk analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security staff attention on the most prominent dynamic risks (for instance by filtering, correlating and scoring SIEM alert streams for security triage) must be well-grounded in all sides of enterprise threat analysis.
At Ziften we commend Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security market evolves beyond the current Dark Ages of facile targeted attacks and established exploitations.