Threat response hampered by information overload – but there is hope

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He recently visited Australia to speak at the Queensland Police Fraud and Cyber Crime Symposium.

Information sharing is critical in establishing a solid defence against adversaries. Wisniewski spoke at the symposium about what is being shared between the private sector, public sector and law enforcement, what is working and what can be done better.

“The classic approach to security is create a big, tall sandwich and keep adding layers,” says Wisniewski. “We’ve got our firewall, spam filter, web filter, antivirus. Then I get a next generation firewall with intrusion detection. We keep adding more things to the stack but the criminals have figured out that each one of these things being an independent entity can only judge something as good or bad based on a very narrow set of viewpoints”.

Citing the example of phishing emails, Wisniewski notes that email filters can only act on the information they have. However, it’s clear other tools might have additional information that could block more phishing attempts than the current email filters can on their own.

“The tools aren’t communicating with one another to make better decisions,” he says.

On the positive side, he notes that people and processes are improving to some degree.

One of the opportunities, says Wisniewski, is organisations such as AusCERT are doing a good job of informing people of potential and emerging threats. That means people are becoming aware of the threat landscape but there needs to be a way for that information to land in tools in order to allow humans to focus on more complex threats.

“The first step in doing this is figuring out what do we need to share and how do we need to share it – rather than rushing into this headlong,” says Wisniewski.

Despite many agencies such as the Department of Homeland Security in the USA and the Australian Signals Directorate locally encouraging, and even mandating, information sharing Wisniewski says that there’s a lack of understanding about what to share.

“We don’t know what to share – that’s really the problem. We have an MD5 checksum of a piece of malware and what is that? It’s not actually actionable because every time we see the malware it changes. But we need to make sure we’re seen to be doing something so let’s share it anyway”.

Wisniewski feels that industry will come up with what’s useful to share and start finding ways to share it.

“This mirrors what happened in the antivirus business 15 years ago. We had the same problem. We kind of stumbled through and created a organisation called CARO (Computer AntiVirus Researcher's Organization) where one representative from every AV company would visit and say what they were going to share and how they were going to do it. We defined an XML data format, determined what was useful to share – where the file was discovered, the date and time stamp using UTC and so on. Now, every time a malware sample comes into our lab it instantly gets shared with 130 other vendors in a defined format that they can automatically process and improve the protection in their products”.

Although today’s threats and challenges are more complex than those when CARO was established in 1990, there is a model for effective sharing that can be built upon.

Initially, determining what information is useful will come from vendors says Wisniewski. But over time vendors will share this information with each other and then private industry and governments joining as well so that have a complete picture of the threat landscape.

Despite the sophistication of the adversaries, Wisniewski suggested the “good guys” are still at a point of relative immaturity. We have access to huge volumes of data such as web addresses associated with malware and libraries of malicious source code but are overcome by the volume. So, there’s a need to develop better analytics tools so that responses and what is shared is refined.

But as things stand today, it’s almost impossible for corporates to manage the flow of information says Wisniewski. With so many security appliances installed within companies, there’s no shortage of log data but putting it all together before an attack is difficult.

However, over time Wisniewski believes tools will become widely available that collate and correlate threat data from a variety of sources that support action by those working against threatening adversaries.

Read more: How do you define a cyber security professional?

Blast from the past!

Try our new Space Invadors inspired video game NOW

How far can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags auscertDepartment of Homeland SecurityCAROMD5 checksumthreat dataChester WisniewskiCSO AustraliasophosThreat response

More about Sophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts