In-depth

Enterprise security: the protective power of patterns

How can businesses keep up with the fast paced threat landscape?

The rapid pace of change as far as the enterprise threat landscape is concerned, can mean that enterprise security teams are often left taking one step forward and two back when it comes to keeping up with the bad guys. Could a little bit of pattern recognition help predict attacks and protect the network?

Pattern recognition as data protection

"Given the increasingly broad spectrum of attack vectors that enterprise security teams have to combat, it is inevitable that they will be breached several times every week with varying degrees of risk," says Gunter Ollmann, chief technology officer at IOActive.

Those are not the words with which anyone wants to start a piece about data security, yet when I spoke Ollmann he charged straight in there. The 'breached several times every week' claim does rather depend upon how you define a breach and as IT Pro reported recently the majority of enterprises seem blissfully unaware of what the term security incident actually means. However, with the threat surface expanding all the time and the dynamic nature of the security landscape, I am inclined to agree with Ollman when he states that it is a given that "despite increasing spend in perimeter and host-based defenses, malware will successfully breach enterprise defenses."

I also happen to agree with him when he started talking about how the real focus of enterprise security is business continuity. Once you understand that then the specifics of any given threat, or even the vector for that matter, should become increasingly irrelevant to incident response teams. "There are a growing number of external service providers that specialize in threat tracking and attack attribution," Ollman points out. In most cases, the data that these third-parties analyse "will reveal a breach detection within an enterprise before the enterprise security team are aware of it," he says.

While that is reassuring to a certain extent, it does raise the issue of the elephant in the server room. Many people simply have no real understanding of what 'normal' is on their networks in the first place. More than 90 per cent of organisations lack required levels of network visibility, according to Barrie Desmond from the Exclusive Networks Group."[This] is why compromised systems are often undetected on average for over 400 days," he says.

Which is where the notion of pattern detection or indicators of compromise come in. These can undoubtedly act as a vital clue to those enterprises that do regularly examine, and understand, their IT environment.

"By doing this," Desmond concludes "it will either prevent a breach from eventually happening or stop it within its early stages."

Any vaguely competent attacker is not going to be using those off-the- shelf and therefore easily recognisable tools, at least not once they have got through the network door (be it front, back or side) though. Instead they will adopt the same resources as used by the victim's own admin staff, 'public indicators of compromise' are most useful in that initial detection of an attack stage.

"But breaches do not begin and end with a single host," Conrad Constantine, Research Team Engineer for AlienVault reminds us. "Serious targeted breaches with actual human operators behind the attack will soon blend in and avoid the use of identifiably malicious software."

So don't expect miracles from the pattern detection approach. Yes, it's a useful addition to the enterprise security armory and one weapon that no self-respecting security team should be without, it's no silver bullet on its own. While I am warning not to get too carried away with the importance of patterns, I spoke with the Chief Security Strategist at Bitdefender, Catalin Cosoi, who was at pains to point out that while it is important to react to indicators of compromise it is equally important not to overreact. "The appropriate response is almost never to batten down the hatches, curtail services to the bare minimum and hope the attacker goes away soon," Cosoi says, while admitting precisely this can be called for in particular and special circumstances.

Instead, Cosoi suggests, that when faced with "a pattern of exploratory attacks consistent with an APT (Advanced Persistent Attack) developing" for example "one might consider setting up a honeypot or honeynet and gathering some more data about attackers in this manner."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021
Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021