IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

Enterprise security: the protective power of patterns

How can businesses keep up with the fast paced threat landscape?

The rapid pace of change as far as the enterprise threat landscape is concerned, can mean that enterprise security teams are often left taking one step forward and two back when it comes to keeping up with the bad guys. Could a little bit of pattern recognition help predict attacks and protect the network?

Pattern recognition as data protection

"Given the increasingly broad spectrum of attack vectors that enterprise security teams have to combat, it is inevitable that they will be breached several times every week with varying degrees of risk," says Gunter Ollmann, chief technology officer at IOActive.

Those are not the words with which anyone wants to start a piece about data security, yet when I spoke Ollmann he charged straight in there. The 'breached several times every week' claim does rather depend upon how you define a breach and as IT Pro reported recently the majority of enterprises seem blissfully unaware of what the term security incident actually means. However, with the threat surface expanding all the time and the dynamic nature of the security landscape, I am inclined to agree with Ollman when he states that it is a given that "despite increasing spend in perimeter and host-based defenses, malware will successfully breach enterprise defenses."

I also happen to agree with him when he started talking about how the real focus of enterprise security is business continuity. Once you understand that then the specifics of any given threat, or even the vector for that matter, should become increasingly irrelevant to incident response teams. "There are a growing number of external service providers that specialize in threat tracking and attack attribution," Ollman points out. In most cases, the data that these third-parties analyse "will reveal a breach detection within an enterprise before the enterprise security team are aware of it," he says.

While that is reassuring to a certain extent, it does raise the issue of the elephant in the server room. Many people simply have no real understanding of what 'normal' is on their networks in the first place. More than 90 per cent of organisations lack required levels of network visibility, according to Barrie Desmond from the Exclusive Networks Group."[This] is why compromised systems are often undetected on average for over 400 days," he says.

Which is where the notion of pattern detection or indicators of compromise come in. These can undoubtedly act as a vital clue to those enterprises that do regularly examine, and understand, their IT environment.

"By doing this," Desmond concludes "it will either prevent a breach from eventually happening or stop it within its early stages."

Any vaguely competent attacker is not going to be using those off-the- shelf and therefore easily recognisable tools, at least not once they have got through the network door (be it front, back or side) though. Instead they will adopt the same resources as used by the victim's own admin staff, 'public indicators of compromise' are most useful in that initial detection of an attack stage.

"But breaches do not begin and end with a single host," Conrad Constantine, Research Team Engineer for AlienVault reminds us. "Serious targeted breaches with actual human operators behind the attack will soon blend in and avoid the use of identifiably malicious software."

So don't expect miracles from the pattern detection approach. Yes, it's a useful addition to the enterprise security armory and one weapon that no self-respecting security team should be without, it's no silver bullet on its own. While I am warning not to get too carried away with the importance of patterns, I spoke with the Chief Security Strategist at Bitdefender, Catalin Cosoi, who was at pains to point out that while it is important to react to indicators of compromise it is equally important not to overreact. "The appropriate response is almost never to batten down the hatches, curtail services to the bare minimum and hope the attacker goes away soon," Cosoi says, while admitting precisely this can be called for in particular and special circumstances.

Instead, Cosoi suggests, that when faced with "a pattern of exploratory attacks consistent with an APT (Advanced Persistent Attack) developing" for example "one might consider setting up a honeypot or honeynet and gathering some more data about attackers in this manner."

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
UK water supplier confirms hack by Cl0p ransomware gang
ransomware

UK water supplier confirms hack by Cl0p ransomware gang

16 Aug 2022