By Rekha Shenoy, VP, Business and Corporate Development, Tripwire
Cybersecurity was front page news all through 2014 and we should expect that trend to continue in 2015 because the behavior of cybercriminals has fundamentally changed. A few years ago the majority of cyberattacks were based on viruses and malware designed to be deployed across a large number of potential victims. Today, cybercriminals are targeting specific companies. They look for weaknesses and identify various ways to gain access to targeted corporate networks. Once they are inside they expend significant resources on evading detection so they can maximize access to confidential data. This shift in tactics was a key factor in many of last years' "mega" data breaches including Target, JP Morgan, Michael's and Sony as well as many others.
The technical sophistication behind these attacks, and the criminals' ability to evade detection by traditional security tools, has left many companies under this impression that there is very little that can be done to protect their confidential data. This is just not so. Larger enterprises on the cutting edge of cybersecurity are building solutions that use machine learning and automation to radically reduce the time needed to detect and respond to a cyberattack in progress.
The Challenge to Detect
One of the key challenges associated with detecting an advanced cyberattack is that large organizations network infrastructures are naturally in a constant state of change. Every cyberattack leaves behind detectable changes but cybercriminals are able to hide in plain sight by disguising these changes as normal network activity.
Detecting anomalous change among hundreds of thousands of routine changes is a key to quickly identifying the changes that indicate a cyberattack in progress. This problem is rapidly becoming more difficult by orders of magnitude. The indicators of malicious change are constantly shifting, and the volume of normal change on enterprise networks is routinely very high, especially for large enterprises that have hundreds of thousands of mission critical systems and associated network devices. This makes detecting malicious changes laborious and time consuming. This detection problem can be particularly daunting if the problem-solving approach relies on applied human intelligence.
One of the key trends in cybersecurity defense is the development of a wide range of community and commercial threat intelligence feeds that make it possible to dynamically search for specific malicious changes, also called indicators of compromise, such as IPs associated with malicious attacks, malware file names and hashes and specific attack vectors. These services allow organizations to share information about current cyberattacks.
These feeds are a critical source of valuable information, but many organizations find them difficult to apply across the organization. It can be difficult to translate a list of data into actionable intelligence. To use this information effectively, organizations need to quickly determine if any of the devices on their networks show signs of infection for a constantly changing array of malware.
The good news is that there are many organizations that have found a way to apply threat intelligence in near real-time. This allows them correlating known external threat agents and their tactics with the specific malicious changes on critical systems resulting in the automated detection of specific cyberattacks. When this information is paired with the business context and detailed system state data, organizations can pin point remediation efforts focusing scarce resources on those systems that are most vulnerable to specific, active threats, effectively automating the process of detecting and thwarting cybercriminals in near real-time.
Applying threat intelligence in this way makes it possible for organizations to adapt to rapid changes in the cyberthreat landscape and scale their response up or down, depending on the unique requirements of their specific business. It also makes it possible to dynamically shift resources and defenses in response to attack patterns. This transformation of cybersecurity business process stands in sharp contrast to traditional approaches that attempt to apply equal security measures across the entire corporate network. The most common example of more traditional security approaches is the application of software patches. Most organizations wait for a vendor to release patches and then deploy them evenly across the enterprise.The emerging agile cybersecurity model by constantly adapting to the rapid changes in cyberthreats would prioritize the deployment of these patches to specific systems that are uniquely vulnerable to specific threats.
We should expect that cybercrime will continue to evolve and become more sophisticated. However, no matter how sophisticated as they get, they still will continue to leave at least one simple clue on critical systems either file or configuration changes. Cybercrime defenses simply need to use automation and dynamic intelligence to detect these changes and we can stop cybercriminals in their tracks.