Part Two Of The Carbanak Case Study Reveals Why Continuous Monitoring Of Endpoints Is So Effective – Chuck Leaver

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Really Effective


Capturing and blocking malicious scripts before it has the ability to jeopardize an endpoint is great. However this technique is largely inadequate against cyber attacks that have actually been pre checked to avert this sort of method to security. The genuine issue is that these hidden attacks are conducted by skilled human hackers, while conventional defense of the endpoint is an automatic procedure by endpoint security systems that rely largely on standard anti-virus technology. The intelligence of human beings is more innovative and versatile than the intelligence of machines and will always be superior to automatic machine defenses. This highlights the findings of the Turing test, where automated defenses are trying to rise to the intellectual level of an experienced human hacker. At present, artificial intelligence and machine learning are not sophisticated enough to completely automate cyber defense, the human hacker is going to win, while those infiltrated are left counting their losses. We are not residing in a science fiction world where machines can out think people so you must not think that a security software suite will automatically take care of all your problems and avoid all attacks and data loss.

The only genuine way to prevent a resolute human hacker is with an undaunted human cyber protector. In order to engage your IT Security Operations Center (SOC) personnel to do this, they need to have full visibility of network and endpoint operations. This type of visibility will not be attained with standard endpoint anti-viruses solutions, instead they are designed to stay quiet unless implementing a capture and quarantining malware. This conventional approach renders the endpoints opaque to security workers, and the hackers utilize this endpoint opacity to conceal their attacks. This opacity extends backwards and forwards in time – your security personnel have no idea exactly what was running across your endpoint population previously, or at this moment, or what can be expected in the future. If persistent security personnel find hints that need a forensic look back to discover attacker traits, your anti-viruses suite will be not able to assist. It would not have actually acted at the time so no events will have been recorded.

On the other hand, continuous endpoint monitoring is constantly working – supplying real time visibility into endpoint operations, providing forensic look back’s to take action against brand-new proof of attacks that is emerging and discover indications earlier, and offering a baseline for regular patterns of operation so that it understands exactly what to anticipate and notify any irregularities in the future. Providing not only visibility, continuous endpoint monitoring provides informed visibility, with the application of behavioral analytics to detect operations that appear irregular. Irregularities will be continually analyzed and aggregated by the analytics and reported to SOC staff, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious abnormalities for security workers attention and action. Continuous endpoint monitoring will magnify and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A child can play this game. It is simple due to the fact that a lot of items (known as high prevalence) look like each other, but one or a small amount (known as low prevalence) are not the same and stand apart. These dissimilar actions taken by cyber criminals have actually been quite constant in hacking for decades. The Carbanak technical reports that noted the indicators of compromise ready examples of this and will be gone over below. When continuous endpoint monitoring security analytics are enacted and reveal these patterns, it is basic to acknowledge something suspicious or unusual. Cyber security personnel will be able to perform rapid triage on these abnormal patterns, and quickly figure out a yes/no/maybe reaction that will identify uncommon but known to be good activities from destructive activities or from activities that need additional tracking and more informative forensics examinations to validate.

There is no way that a hacker can pre test their attacks when this defense application remains in place. Continuous endpoint monitoring security has a non-deterministic risk analytics part (that informs suspect activity) as well as a non-deterministic human component (that performs alert triage). Depending on the existing activities, endpoint population mix and the experience of the cyber security personnel, developing attack activity may or may not be discovered. This is the nature of cyber warfare and there are no guarantees. But if your cyber security fighters are geared up with continuous endpoint monitoring analytics and visibility they will have an unjust advantage.

Leave a Reply

Your email address will not be published. Required fields are marked *