In-depth

Enterprise security: the protective power of patterns

How can businesses keep up with the fast paced threat landscape?

The rapid pace of change as far as the enterprise threat landscape is concerned, can mean that enterprise security teams are often left taking one step forward and two back when it comes to keeping up with the bad guys. Could a little bit of pattern recognition help predict attacks and protect the network?

Pattern recognition as data protection

"Given the increasingly broad spectrum of attack vectors that enterprise security teams have to combat, it is inevitable that they will be breached several times every week with varying degrees of risk," says Gunter Ollmann, chief technology officer at IOActive.

Those are not the words with which anyone wants to start a piece about data security, yet when I spoke Ollmann he charged straight in there. The 'breached several times every week' claim does rather depend upon how you define a breach and as IT Pro reported recently the majority of enterprises seem blissfully unaware of what the term security incident actually means. However, with the threat surface expanding all the time and the dynamic nature of the security landscape, I am inclined to agree with Ollman when he states that it is a given that "despite increasing spend in perimeter and host-based defenses, malware will successfully breach enterprise defenses."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

I also happen to agree with him when he started talking about how the real focus of enterprise security is business continuity. Once you understand that then the specifics of any given threat, or even the vector for that matter, should become increasingly irrelevant to incident response teams. "There are a growing number of external service providers that specialize in threat tracking and attack attribution," Ollman points out. In most cases, the data that these third-parties analyse "will reveal a breach detection within an enterprise before the enterprise security team are aware of it," he says.

While that is reassuring to a certain extent, it does raise the issue of the elephant in the server room. Many people simply have no real understanding of what 'normal' is on their networks in the first place. More than 90 per cent of organisations lack required levels of network visibility, according to Barrie Desmond from the Exclusive Networks Group."[This] is why compromised systems are often undetected on average for over 400 days," he says.
Which is where the notion of pattern detection or indicators of compromise come in. These can undoubtedly act as a vital clue to those enterprises that do regularly examine, and understand, their IT environment.
"By doing this," Desmond concludes "it will either prevent a breach from eventually happening or stop it within its early stages."
Any vaguely competent attacker is not going to be using those off-the- shelf and therefore easily recognisable tools, at least not once they have got through the network door (be it front, back or side) though. Instead they will adopt the same resources as used by the victim's own admin staff, 'public indicators of compromise' are most useful in that initial detection of an attack stage.
"But breaches do not begin and end with a single host," Conrad Constantine, Research Team Engineer for AlienVault reminds us. "Serious targeted breaches with actual human operators behind the attack will soon blend in and avoid the use of identifiably malicious software."
Advertisement - Article continues below
So don't expect miracles from the pattern detection approach. Yes, it's a useful addition to the enterprise security armory and one weapon that no self-respecting security team should be without, it's no silver bullet on its own. While I am warning not to get too carried away with the importance of patterns, I spoke with the Chief Security Strategist at Bitdefender, Catalin Cosoi, who was at pains to point out that while it is important to react to indicators of compromise it is equally important not to overreact. "The appropriate response is almost never to batten down the hatches, curtail services to the bare minimum and hope the attacker goes away soon," Cosoi says, while admitting precisely this can be called for in particular and special circumstances.
Instead, Cosoi suggests, that when faced with "a pattern of exploratory attacks consistent with an APT (Advanced Persistent Attack) developing" for example "one might consider setting up a honeypot or honeynet and gathering some more data about attackers in this manner."
Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Most Popular

Visit/business-strategy/digital-transformation/354201/boston-dynamics-dog-like-robots-sniff-out-bombs-for
digital transformation

Boston Dynamics dog-like robots sniff out bombs for Massachusetts police

26 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019
Visit/mobile/mobile-phones/354222/samsung-sails-past-apples-market-share-despite-smartphone-market-slump
Mobile Phones

Samsung sails past Apple's market share despite smartphone market slump

28 Nov 2019
Visit/business-strategy/mergers-and-acquisitions/354191/xerox-to-pursue-hostile-hp-takeover-after-30bn
mergers and acquisitions

Xerox to pursue hostile HP takeover after $30bn gambit fails

28 Nov 2018