Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften Technologies
A 5 Point Plan For A New Security Approach Proposed By Amit Yoran
Amit Yoran’s, RSA President provided an exceptional keynote speech at the RSA Conference which reinforced the Ziften philosophy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to supply robust defenses in a brand-new era of advanced cyber attacks. Existing organization security methods were criticized as being bogged down in the Dark Ages of cyber moats and castle walls by Yoran, it was referred to as an “impressive fail”, and he outlined his vision for the way forward with five main points, and commentary from Ziften’s viewpoint has actually been added.
Stop Believing That Even Advanced Protections Suffice
” No matter how high or wise the walls, focused adversaries will find methods over, under, around, and through.”
A great deal of the previous, more sophisticated attacks did not utilize malware as the primary strategy. Traditional endpoint antivirus, firewalls and traditional IPS were slammed by Yoran as examples of the Dark Ages. He stated that these traditional defenses could be quickly scaled by skilled hackers and that they were mainly inadequate. A signature based anti-virus system can just secure against previously seen dangers, but unseen risks are the most threatening to a company (since they are the most common targeted attacks). Targeted cyber crooks use malware just 50% of the time, maybe just quickly, at the start of the attack. The attack artifacts are easily altered and not used ever again in targeted attacks. The accumulation of transient indicators of compromise and malware signatures in the billions in huge anti-viruses signature databases is a meaningless defensive technique.
Embrace a Deep and Prevalent Level of True Visibility All over – from the Endpoint to the Cloud
“We need pervasive and true visibility into our business environments. You just can’t do security today without the visibility of both continuous full packet capture and endpoint compromise assessment visibility.”
This implies continuous endpoint monitoring across the enterprise endpoint population for generic indicators of compromise (not stale attack artifacts) that reflect timeless strategies, not short lived hex string happenstance. And any company executing constant complete packet capture (comparatively costly) can quickly pay for endpoint threat assessment visibility (relatively affordable). The logging and auditing of endpoint process activity supplies a wealth of security insight using only primary analytics techniques. A targeted hacker relies on the relative opacity of endpoint user and system activity to mask and hide any attacks – while real visibility provides an intense light.
Identity and Authentication Matter More than Ever
” In a world without any perimeter and with fewer security anchor points, identity and authentication matter even more … Eventually in [any successful attack] campaign, the abuse of identity is a stepping stone the attackers use to enforce their will.”
Making use of more powerful authentication is good, however it only makes for higher walls that are still not impenetrable. Exactly what the hacker does when they get over the wall is the most important thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for indicators of unusual user activity (insider attack or prospective jeopardized credentials). Any activity that is observed that is different from normal patterns is possibly suspicious. One departure from normality does not make a case, but security analytics that triangulates several normality departures concentrates security attention on the highest risk anomalies for triage.
External Threat Intelligence Is A Core Capability
” There are incredible sources for the right threat intelligence … [which] should be machine-readable and automated for increased speed and leverage. It ought to be operationalized into your security program and tailored to your organization’s assets and interests so that analysts can quickly address the threats that pose the most risk.”
A lot of targeted attacks typically do not utilize readily signatured artifacts again or recycle network addresses and C2 domains, however there is still worth in risk intelligence feeds that aggregate timely discoveries from countless endpoint and network risk sensors. Here at Ziften we integrate third party threat feeds through the Ziften Knowledge Cloud, plus the direct exposure of Ziften discoveries into SIEM and other business security and operations infrastructure by means of our Open Visibility ™ architecture. With the developing of more machine-readable threat intelligence (MRTI) feeds, this ability will effectively grow.
Understand What Matters Most To Your Organization And Exactly what Is Mission Critical
” You need to understand what matters to your organization and what is mission critical. You have to … safeguard exactly what is very important and safeguard it with everything you have.”
This holds true for risk driven analytics and instrumentation that focuses security attention and action on areas of highest enterprise risk exposure. Yoran advocates that asset worth prioritization is only one side of business risk analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security staff attention on the most prominent dynamic risks (for instance by filtering, correlating and scoring SIEM alert streams for security triage) must be well-grounded in all sides of business threat analysis.
At Ziften we commend Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security industry evolves beyond the existing Dark Ages of facile targeted attacks and entrenched exploitations.