Enterprise security: the protective power of patterns

How can businesses keep up with the fast paced threat landscape?

The rapid pace of change as far as the enterprise threat landscape is concerned, can mean that enterprise security teams are often left taking one step forward and two back when it comes to keeping up with the bad guys. Could a little bit of pattern recognition help predict attacks and protect the network?

Advertisement - Article continues below

Pattern recognition as data protection

"Given the increasingly broad spectrum of attack vectors that enterprise security teams have to combat, it is inevitable that they will be breached several times every week with varying degrees of risk," says Gunter Ollmann, chief technology officer at IOActive.

Those are not the words with which anyone wants to start a piece about data security, yet when I spoke Ollmann he charged straight in there. The 'breached several times every week' claim does rather depend upon how you define a breach and as IT Pro reported recently the majority of enterprises seem blissfully unaware of what the term security incident actually means. However, with the threat surface expanding all the time and the dynamic nature of the security landscape, I am inclined to agree with Ollman when he states that it is a given that "despite increasing spend in perimeter and host-based defenses, malware will successfully breach enterprise defenses."

Advertisement - Article continues below
Advertisement - Article continues below

I also happen to agree with him when he started talking about how the real focus of enterprise security is business continuity. Once you understand that then the specifics of any given threat, or even the vector for that matter, should become increasingly irrelevant to incident response teams. "There are a growing number of external service providers that specialize in threat tracking and attack attribution," Ollman points out. In most cases, the data that these third-parties analyse "will reveal a breach detection within an enterprise before the enterprise security team are aware of it," he says.

While that is reassuring to a certain extent, it does raise the issue of the elephant in the server room. Many people simply have no real understanding of what 'normal' is on their networks in the first place. More than 90 per cent of organisations lack required levels of network visibility, according to Barrie Desmond from the Exclusive Networks Group."[This] is why compromised systems are often undetected on average for over 400 days," he says.
Advertisement - Article continues below
Which is where the notion of pattern detection or indicators of compromise come in. These can undoubtedly act as a vital clue to those enterprises that do regularly examine, and understand, their IT environment.
"By doing this," Desmond concludes "it will either prevent a breach from eventually happening or stop it within its early stages."
Any vaguely competent attacker is not going to be using those off-the- shelf and therefore easily recognisable tools, at least not once they have got through the network door (be it front, back or side) though. Instead they will adopt the same resources as used by the victim's own admin staff, 'public indicators of compromise' are most useful in that initial detection of an attack stage.
"But breaches do not begin and end with a single host," Conrad Constantine, Research Team Engineer for AlienVault reminds us. "Serious targeted breaches with actual human operators behind the attack will soon blend in and avoid the use of identifiably malicious software."
Advertisement - Article continues below
So don't expect miracles from the pattern detection approach. Yes, it's a useful addition to the enterprise security armory and one weapon that no self-respecting security team should be without, it's no silver bullet on its own. While I am warning not to get too carried away with the importance of patterns, I spoke with the Chief Security Strategist at Bitdefender, Catalin Cosoi, who was at pains to point out that while it is important to react to indicators of compromise it is equally important not to overreact. "The appropriate response is almost never to batten down the hatches, curtail services to the bare minimum and hope the attacker goes away soon," Cosoi says, while admitting precisely this can be called for in particular and special circumstances.
Instead, Cosoi suggests, that when faced with "a pattern of exploratory attacks consistent with an APT (Advanced Persistent Attack) developing" for example "one might consider setting up a honeypot or honeynet and gathering some more data about attackers in this manner."
Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now

Most Popular


How to find RAM speed, size and type

24 Jun 2020
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020
Mobile Phones

The Man has ruined my Huawei P40

3 Jul 2020