Breach detection: Five fatal flaws and how to avoid them

Even in advanced shops, perimeter-based defense practices still linger, practices based on flawed thinking

IT Security today is not about defending a (non-existent) perimeter, but about protecting the organization's attack surface, which has changed dramatically due to the cloud, mobility, BYOD, and other advances in corporate computing that have caused fundamental shifts in network architecture and operations.

Practically speaking, it means you need to monitor what is occurring inside the firewall just as much (if not more) than what is outside trying to make its way in. Think of it as a post breach mindset based on a "1,000 points of light" model as opposed to a "moat and castle" model of defense.

In theory its evolutionary, but given the accelerated pace in which security organizations have matured, it is not necessarily an easy transition to make. Not only has the threat landscape changed, but there has been constant flux in the leadership, skills, tools and budget required.

As a result, even in advanced shops, perimeter-based defense practices still linger. Practices based on flawed thinking or misconceptions, which if left unchecked, hinder fast detection and response. Here are some of the ones we see the most:

* Fixation on penetration prevention. Solution: Shift to an "Already compromised" mindset. With APTs more prominent than ever, it's no longer about if you get breached, but when. You should evolve your security defense accordingly. Instead of focusing on preventing penetration, focus on the adversarial activity that is going on within your network. The good news is you have an advantage; the majority of damage is usually done several months after penetration. Hackers tend to deploy low and slow' techniques and perform minimal actions per day in order to evade detection, better understand the organization and craft a foolproof roadmap to reach their true target.

* Accepting simple explanations. Solution: Always dig deeper. Security events are not caused by error or accident. Every piece of evidence should be over-analyzed and malicious intent must always be considered. Because your security teams cannot know all adversarial activities, in a sense they are at a disadvantage; therefore, it is crucial for the teams to over-investigate what they can see in order to reveal other unknown and undetected connecting elements. Security teams must always assume they only see half the picture, working diligently to uncover the rest of the pieces of the puzzle.

* Striving for fast remediation. Solution: Leverage the known. Instead of remediating isolated incidents as fast as possible, the security team should closely monitor the known to understand how it connects to other elements within the environment and strive to reveal the unknown. For example, an unknown malicious process can be revealed if it is connecting to the same IP address as a detected known malicious process. Moreover, when you reveal to the hackers which of their tools are easy to detect, hackers can purposely deploy, in excess, the known tools to distract and waste the defender's time.

* Focusing on malware. Solution: Focus on the entire attack. Although detecting malware is important, solutions that mainly focus on detecting isolated activity on individual endpoints are unable to properly combat complex hacking operations. Instead, employ a more holistic defense. Leverage automation - analytics and threat intelligence in particular - in order to gain context on the entire malicious operation, as opposed to just the code. Keep in mind that your adversary is a person and malware is one of their most powerful tools, but one of many in their tool kits.

* Letting false alerts get the best of you. Solution: Automate investigation. Because many security solutions produce a large amount of sporadic alerts (many false) with little context, security teams spend endless hours manually investigating and validating alerts produced by their solutions. This lengthy process significantly prolongs security teams from addressing the real question is there a cyber-attack underway?  Here's another case where the proper use of automation can dramatically increase productivity as well as detection and response times, which results in less costly and damaging attacks. If there are budgetary constraints that prevent the proper use of automation to aid you in this process, quantify the value the investment you are asking the company to make.

Like many aspects of IT, breach detection is part art, part science. However, what distinguishes a good analyst from a great one is how they think. Avoiding these misconceptions enable security teams to approach breach detection much more strategically and make better use of the resources at their disposal.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitysecurityshift

More about IT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Lior Div, Co-founder and CEO, Cybereason

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place