Enterprise security: the protective power of patterns

How can businesses keep up with the fast paced threat landscape?

OK, so with all that in mind, what are the most important indicators of compromise?

Quite possibly the most obvious for the most security operators out there are going to be the simplest, such as those discrete and obvious pieces of information such as IPs and domains.

"These are easy to gather and understand for those who aren't necessarily dedicated intrusion analysts or investigators," Nick Mazitelli, Senior Consultant at Context Information Security explains. He goes on:"The event flow from them should be fairly straightforward to process." No pun intended, but context is everything and there is a risk of false positives along with the bane of 'incident fatigue' these can cause.

Advertisement - Article continues below

"These simple and discrete indicators probably have the shortest useful life due to these ease with which an attacker can churn them, so the intelligence front is likely to move much more quickly,"Mazitelli points out.

But IPs and domains are just the tip of the iceberg, with heaps of other indicators hidden below the waterline. So where should you start in really getting to grips with the serious patterns of prediction?

Jonathan Martin, Director of Enterprise Security Products (EMEA) with HP, thinks there are really three key things that all CISOs/CIOs should be on the lookout for."Unusual network traffic is usually a sign that something is awry," Martin says.

Advertisement
Advertisement - Article continues below

The adversary will not only attempt to penetrate the infrastructure, but once there they will try and extract valuable data which can be monetised. Which is why unorthodox outbound traffic tends to be easier to identify and analyse than incoming traffic and there are a number of tools and solutions which can do this and work to isolate the breach. Then there are the "anomalies with privileged user behaviour" whereby a common route to valuable data is for the adversary "to mimic, or to attempt to compromise privileged user accounts by using Phishing techniques," Martin continues. With the right degree of research, it is fairly easy to takeover a privileged account and gain access to the system.

Advertisement - Article continues below

"Time of activity, systems accessed, type or volume of information accessed, all will provide early indication of a breach," according to Martin. Geographical irregularities with log-ins and access patterns as well as multiple logins from different IP addresses can provide good evidence that the adversary is at work.

Then, finally, in this group of key indicators we have those incidents where attackers have attempted to make registry changes so as to establish backdoor access.

"Monitoring system files and configurations along with registry changes are a good way to identify possible incidents," Martin concludes.

Geoff Webb, Director of solution strategy at SIEM specialist NetIQ, throws in a fourth indicator: unexpected patching of systems. "While this might seem like a good thing," he explains. "This can indicate that an attacker has established a footing within your network and is busy closing vulnerabilities to keep out the competition."

Identifying risk through the security noise

The sad reality of the world we live in is that, for the most part at least, the bad guys have a pretty decent head start and are not backwards in exploiting whatever opportunities arise as a result.
The role of enterprise security teams therefore has to be that of minimising the window of opportunity.
"Where smoke signals form, dump water by the gallon before the smoke turns into a full blown fire," says Meint Dijkstra, director of technical services at COMPUTERLINKS. In other words, to understand the risks to the organisation then visibility of how an attack is actually unfolding is key to tackling it effectively and in a timely fashion.

Let's face it, most enterprises these days have data logscontaining all the evidence needed for an expert eye to prove the how, when, what and where of any attack. "The problem most organisations have," suggests Paul Pratley, Investigations Manager for the Verizon RISK Team (EMEA), "is identifying what indicators matter to them and represent organisational risk out of all the security noise."

There is a real need to carry out threat modelling and adapt the deployment of security solutions into the places that really matter. "Ask these important questions," Pratley concludes."What are my organisations highest risk assets and how am I going to know when those assets are being targeted, what will that attack look like?"

Finding the right answers will lead you to a place of understanding where patterns, prediction and protection merge...

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

3 Aug 2020