Enterprise security: the protective power of patterns
How can businesses keep up with the fast paced threat landscape?
OK, so with all that in mind, what are the most important indicators of compromise?
Quite possibly the most obvious for the most security operators out there are going to be the simplest, such as those discrete and obvious pieces of information such as IPs and domains.
"These are easy to gather and understand for those who aren't necessarily dedicated intrusion analysts or investigators," Nick Mazitelli, Senior Consultant at Context Information Security explains. He goes on:"The event flow from them should be fairly straightforward to process." No pun intended, but context is everything and there is a risk of false positives along with the bane of 'incident fatigue' these can cause.
"These simple and discrete indicators probably have the shortest useful life due to these ease with which an attacker can churn them, so the intelligence front is likely to move much more quickly,"Mazitelli points out.
But IPs and domains are just the tip of the iceberg, with heaps of other indicators hidden below the waterline. So where should you start in really getting to grips with the serious patterns of prediction?
Jonathan Martin, Director of Enterprise Security Products (EMEA) with HP, thinks there are really three key things that all CISOs/CIOs should be on the lookout for."Unusual network traffic is usually a sign that something is awry," Martin says.
The adversary will not only attempt to penetrate the infrastructure, but once there they will try and extract valuable data which can be monetised. Which is why unorthodox outbound traffic tends to be easier to identify and analyse than incoming traffic and there are a number of tools and solutions which can do this and work to isolate the breach. Then there are the "anomalies with privileged user behaviour" whereby a common route to valuable data is for the adversary "to mimic, or to attempt to compromise privileged user accounts by using Phishing techniques," Martin continues. With the right degree of research, it is fairly easy to takeover a privileged account and gain access to the system.
"Time of activity, systems accessed, type or volume of information accessed, all will provide early indication of a breach," according to Martin. Geographical irregularities with log-ins and access patterns as well as multiple logins from different IP addresses can provide good evidence that the adversary is at work.
Then, finally, in this group of key indicators we have those incidents where attackers have attempted to make registry changes so as to establish backdoor access.
"Monitoring system files and configurations along with registry changes are a good way to identify possible incidents," Martin concludes.
Geoff Webb, Director of solution strategy at SIEM specialist NetIQ, throws in a fourth indicator: unexpected patching of systems. "While this might seem like a good thing," he explains. "This can indicate that an attacker has established a footing within your network and is busy closing vulnerabilities to keep out the competition."
Identifying risk through the security noise
Let's face it, most enterprises these days have data logscontaining all the evidence needed for an expert eye to prove the how, when, what and where of any attack. "The problem most organisations have," suggests Paul Pratley, Investigations Manager for the Verizon RISK Team (EMEA), "is identifying what indicators matter to them and represent organisational risk out of all the security noise."
There is a real need to carry out threat modelling and adapt the deployment of security solutions into the places that really matter. "Ask these important questions," Pratley concludes."What are my organisations highest risk assets and how am I going to know when those assets are being targeted, what will that attack look like?"
Finding the right answers will lead you to a place of understanding where patterns, prediction and protection merge...
In This Article
The essential guide to cloud-based backup and disaster recovery
Support business continuity by building a holistic emergency planDownload now
Trends in modern data protection
A comprehensive view of the data protection landscapeDownload now
How do vulnerabilities get into software?
90% of security incidents result from exploits against defects in softwareDownload now
Delivering the future of work - now
The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.Download now