HackDig : Dig high-quality web security articles for hackers

«No Previous
No Next

Introducing Threat Operations: Thinking Differently

2017-02-13 04:50

Let’s start with a rhetorical question: Can you really ‘manage’ threats? Is that even a worthy goal? And how do you even define a threat? We have seen an improved description of how adversaries operate by considering attacks and threats as a campaign. That implies a set of interrelated attacks with a common mission, a better way to think about how you are being attacked. It is certainly more useful than the Whac-A-Mole approach: treating each attack as a unique and unconnected event; and defaulting to the traditional threat management cycle: Prevent (good luck!), Detect, Investigate, and Remediate.

That disconnected approach hasn’t worked very well. The industry continues to be locked into this negative feedback loop: you are attacked, you respond, you clean up the mess, and then you start all over again. You don’t learn much from the last attack, which condemns you to continue running on the hamster wheel day after day. Not that this inability to learn stems from lack of effort. Pretty much every practitioner we talk to wants better leverage and to learn from the attacks in the wild. But existing security controls and monitors don’t really support that level of learning – not easily, anyway.

But an inability to learn isn’t our only challenge. Current threat management largely ignores the actual risk posed by each attack. Without some understanding of what an attacker is trying to do, you cannot prioritize intelligently. For example if you look at threats independently, an apparently advanced attack may take priority because it uses advanced techniques, implying a capable attacker. And we take capable attackers more seriously than simple phishing.

But that assumption may be a mistake – advanced attackers seek the path of least resistance to compromise your environment. So if a phishing message will do the trick, they’ll phish your folks. They won’t waste a zero-day when a simple email will suffice. On the other hand, you could be right that the phishing attempt is from a kid in a basement trying to steal milk money. There is no way to know without higher-level abstraction of attack activity, so most current prioritization is very hit-and-miss.

But we cannot afford hit-and-miss any more. The perpetual (and worsening) security skills gap means you must make better use of your limited resources. You cannot waste limited and valuable time on false positives – your folks need to be working on the endless list of real attacks, not wild good chases. Additionally, you don’t have enough people to validate and triage all the alerts streaming out of your monitoring systems, so things get missed. A breach can piss off customers, and draw unwelcome attention from class-action lawyers and regulators.

We aren’t done yet. Ugh. Once you figure out which attacks to start with, current security/threat operational models to remediate tend to be highly manual and serial. It’s just another endless game of Mole Assault: you direct Operations to patch or reimage a machine and then wait for the next user to click similar malware and the next similarly compromised device. Lather, rinse, repeat. It’s no good.

We get tired of stating the obvious, but security hasn’t been effective enough for a long time. And with the increasing complexity of technology infrastructure and the high-profile nature of security breaches, the status quo is no longer acceptable, so something needs to change, quickly.

Thinking Differently

Everybody loves people who think differently. Until they challenge the way things are done and start agitating for massive change, upending the way things have always been done. As discussed above, in security we have reached a point where we need to start thinking differently, because we cannot keep pace with attackers or stem the flow of sensitive data being exfiltrated from organizations.

The movement toward cloud computing, succinctly described in our recent Tidal Forces series (1, 2, and 3), is already upending the apple cart because security is fundamentally different in the cloud. And if we could just do a flash cutover of all our systems onto well-architected cloud stacks a lot of these issues would go away. Not all but a lot.

Unfortunately we cannot. A massive amount of critical data still resides in corporate data centers, and will for the foreseeable future. So we need to keep two realities in mind for a while. First, classical reality: imperfect systems in existing data centers, where we leverage traditional security controls and monitors. And the new world of cloud computing, mobility, and DevOps: enabling scalable and secure architectures, with new governance and monitoring challenges.

It’s tough to be a security professional, and it’s getting harder. But senior management and your board of directors aren’t interested. You need to come up with answers. So our new “Introducing Threat Operations” series will address several issues which make dealing with attacks challenging:

  • Security data overload: We have plenty of security data. Many organizations are dealing with a flood of it, without tools or expertise to manage it. These same organizations are compounding the data overload problem by starting to integrate external threat intelligence.
  • Detecting advanced attackers and rapidly evolving attacks: But today’s security monitoring infrastructure is largely based on looking for attacks you have already seen. What happens when an attack is built specifically for you, or you want to hunt active threat actors in your environment? You need to better utilize internal security data and intelligently leverage threat intelligence to look for attacks you haven’t seen yet.
  • Lack of skilled resources: Unfortunately our industry cannot address the skills gap fast enough. We can and are focusing on education, but new security practitioners require broad knowledge of technology and a lot of experience to become effective. So we need to make less experienced practitioners more effective, through smarter systems which guide them. We cannot replace security analysts but we need to magnify their impact.
  • Responding and remediating at scale, and working with Operations: Finally, once you figure out what to fix, you face similar resource constraints with Operations. So you need to figure out how to intelligently orchestrate and automate response and remediation.

We are really talking about evolving how the industry deals with threats. It’s not really about managing threats anymore, but building an operational process to more effectively handle your adversaries’ campaigns. That requires leveraging security data through better analytics, magnifying the impact of your people by structuring and streamlining processes, and automating remediation of threats wherever possible. This series will map out what that looks like, and how you can get there – sooner, rather than later.

We’d like to thank Threat Quotient for agreeing to be the initial licensee of this content. As we repeat over and over, without the support of so many forward-thinking security companies we couldn’t do this research, and we certainly couldn’t provide it to you free.

Our next post will describe how to accelerate your humans, making your analysts and responders more effective and efficient.

- Mike Rothman (0) Comments

Source: yltnereffid-gnikniht-snoitarepo-taerht-gnicudortni/golb/moc.sisoruces.www

Read:3282 | Comments:0 | Tags:No Tag

“Introducing Threat Operations: Thinking Differently”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud