Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften Technologies
A 5 Point Plan For A New Security Approach Proposed By Amit Yoran
Amit Yoran’s, RSA President delivered an exceptional keynote speech at the RSA Conference which reinforced the Ziften philosophy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to provide robust defenses in a brand-new era of advanced cyber attacks. Existing company security techniques were slammed as being stuck in the Dark Ages of cyber moats and castle walls by Yoran, it was referred to as an “legendary fail”, and he outlined his vision for the way forward with 5 main points, and commentary from Ziften’s perspective has been added.
Stop Believing That Even Advanced Protections Suffice
” No matter how high or clever the walls, focused enemies will discover ways over, under, around, and through.”
A lot of the previous, more advanced attacks did not use malware as the primary strategy. Traditional endpoint antivirus, firewall programs and traditional IPS were criticized by Yoran as examples of the Dark Ages. He stated that these legacy defenses could be quickly scaled by experienced hackers and that they were mostly inadequate. A signature based antivirus system can only protect against previously seen dangers, however unseen hazards are the most threatening to a company (considering that they are the most typical targeted attacks). Targeted cyber wrongdoers utilize malware only 50% of the time, maybe just briefly, at the start of the attack. The attack artifacts are easily altered and not utilized ever again in targeted attacks. The accumulation of transient indicators of compromise and malware signatures in the billions in huge anti-viruses signature databases is a pointless defensive approach.
Embrace a Deep and Pervasive Level of Real Visibility All over – from the Endpoint to the Cloud
“We need pervasive and true visibility into our enterprise environments. You merely can’t do security today without the visibility of both constant complete packet capture and endpoint compromise assessment visibility.”
This indicates continuous endpoint monitoring throughout the enterprise endpoint population for generic indicators of compromise (not stale attack artifacts) that show classic methods, not fleeting hex string happenstance. And any company implementing continuous complete packet capture (comparatively expensive) can quickly afford endpoint threat evaluation visibility (comparatively low-cost). The logging and auditing of endpoint process activity offers a wealth of security insight using only primary analytics approaches. A targeted hacker counts on the relative opacity of endpoint user and system activity to mask and conceal any attacks – while real visibility provides an intense light.
Identity and Authentication Matter More than Ever
” In a world without any perimeter and with fewer security anchor points, identity and authentication matter more than ever … Eventually in [any successful attack] campaign, the abuse of identity is a stepping stone the assailants use to impose their will.”
The use of stronger authentication is good, however it just makes for bigger walls that are still not impenetrable. What the hacker does when they overcome the wall is the most important thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for signs of unusual user activity (insider attack or prospective compromised credentials). Any activity that is observed that is different from typical patterns is possibly suspicious. One departure from normality does not make a case, however security analytics that triangulates several normality departures focuses security attention on the greatest risk anomalies for triage.
External Threat Intelligence Is A Core Capability
” There are extraordinary sources for the best risk intelligence … [which] should be machine-readable and automated for increased speed and leverage. It should be operationalized into your security program and customized to your organization’s assets and interests so that analysts can rapidly attend to the risks that pose the most risk.”
A lot of targeted attacks usually do not utilize readily signatured artifacts once again or recycle network addresses and C2 domains, however there is still worth in threat intelligence feeds that aggregate timely discoveries from countless endpoint and network threat sensors. Here at Ziften we incorporate 3rd party risk feeds via the Ziften Knowledge Cloud, plus the exposure of Ziften discoveries into SIEM and other business security and operations infrastructure via our Open Visibility ™ architecture. With the developing of more machine-readable risk intelligence (MRTI) feeds, this ability will efficiently grow.
Understand What Matters Most To Your Organization And What Is Mission Critical
” You need to understand exactly what matters to your organization and what is mission critical. You have to … safeguard exactly what’s important and protect it with everything you have.”
This is the case for threat driven analytics and instrumentation that focuses security attention and effort on areas of highest enterprise risk exposure. Yoran promotes that asset worth prioritization is only one side of enterprise threat analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security personnel attention on the most common dynamic risks (for example by filtering, correlating and scoring SIEM alert streams for security triage) must be well-grounded in all sides of enterprise threat analysis.
At Ziften we applaud Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security industry evolves beyond the present Dark Ages of facile targeted attacks and established exploitations.