Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften Technologies
A 5 Point Plan For A New Security Approach Proposed By Amit Yoran
Amit Yoran’s, RSA President provided an excellent keynote speech at the RSA Conference which reinforced the Ziften philosophy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to provide robust defenses in a new era of sophisticated cyber attacks. Present company security techniques were criticized as being mired in the Dark Ages of cyber moats and castle walls by Yoran, it was described as an “epic fail”, and he detailed his vision for the way forward with 5 bottom lines, and commentary from Ziften’s viewpoint has been added.
Stop Believing That Even Advanced Protections Suffice
” No matter how high or smart the walls, focused enemies will discover methods over, under, around, and through.”
A great deal of the previous, more sophisticated attacks did not use malware as the primary strategy. Conventional endpoint antivirus, firewall software and standard IPS were criticized by Yoran as examples of the Dark Ages. He specified that these legacy defenses could be quickly scaled by experienced hackers and that they were mostly inadequate. A signature based antivirus system can just secure against previously seen risks, but hidden threats are the most threatening to a company (since they are the most common targeted attacks). Targeted cyber lawbreakers make use of malware just 50% of the time, perhaps only briefly, at the start of the attack. The attack artifacts are readily altered and not utilized again in targeted attacks. The accumulation of short-term indicators of compromise and malware signatures in the billions in huge anti-viruses signature databases is a meaningless defensive approach.
Embrace a Deep and Prevalent Level of Real Visibility All over – from the Endpoint to the Cloud
“We need pervasive and true visibility into our business environments. You merely cannot do security today without the visibility of both constant complete packet capture and endpoint compromise evaluation visibility.”
This means continuous endpoint monitoring across the business endpoint population for generic indicators of compromise (not stale attack artifacts) that show classic techniques, not short lived hex string happenstance. And any organization carrying out continuous full packet capture (comparatively costly) can quickly afford endpoint threat assessment visibility (relatively low-cost). The logging and auditing of endpoint process activity supplies a wealth of security insight using just primary analytics techniques. A targeted hacker counts on the relative opacity of endpoint user and system activity to mask and hide any attacks – while real visibility offers a bright light.
Identity and Authentication Matter More than Ever
” In a world with no boundary and with fewer security anchor points, identity and authentication matter more than ever … At some point in [any successful attack] campaign, the abuse of identity is a stepping stone the attackers use to enforce their will.”
The use of stronger authentication fine, but it just makes for bigger walls that are still not impenetrable. Exactly what the hacker does when they get over the wall is the most crucial thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for signs of irregular user activity (insider attack or potential jeopardized credentials). Any activity that is observed that is varies from regular patterns is possibly suspicious. One departure from normality does not make a case, but security analytics that triangulates numerous normality departures concentrates security attention on the greatest risk abnormalities for triage.
External Risk Intelligence Is A Core Capability
” There are amazing sources for the ideal risk intelligence … [which] ought to be machine-readable and automated for increased speed and leverage. It should be operationalized into your security program and tailored to your organization’s assets and interests so that analysts can quickly resolve the threats that posture the most risk.”
The majority of targeted attacks typically do not utilize readily signatured artifacts once again or recycle network addresses and C2 domains, but there is still value in risk intelligence feeds that aggregate timely discoveries from countless endpoint and network threat sensors. Here at Ziften we incorporate 3rd party threat feeds by means of the Ziften Knowledge Cloud, plus the exposure of Ziften discoveries into SIEM and other enterprise security and operations infrastructure by means of our Open Visibility ™ architecture. With the developing of more machine-readable risk intelligence (MRTI) feeds, this capability will efficiently grow.
Understand Exactly what Matters Most To Your Company And Exactly what Is Mission Critical
” You need to comprehend exactly what matters to your company and what is mission critical. You need to … defend what is essential and safeguard it with everything you have.”
This is the case for risk driven analytics and instrumentation that focuses security attention and action on areas of greatest enterprise threat exposure. Yoran promotes that asset value prioritization is only one side of enterprise risk analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security staff attention on the most prominent dynamic threats (for instance by filtering, associating and scoring SIEM alert streams for security triage) need to be well-grounded in all sides of enterprise risk analysis.
At Ziften we applaud Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security market progresses beyond the present Dark Ages of facile targeted attacks and entrenched exploitations.