​Proactive Security, Taking a Step Forward

Author: Nick Race, Australia and New Zealand Country Manager at Arbor Networks

Today’s businesses face the most complex and innovative threat landscape we have ever seen, and unfortunately the bad guys are winning far too often. Deploying additional layers of security and new technologies doesn’t appear to be helping – so what can we do? By augmenting our existing incident response (IP) processes with a more proactive threat-hunting approach, we can counter the inventiveness of our human adversary with the skills of our security analysts – rather than trusting purely in technology to save us.

Over the past few years security and network architectures have evolved. On the network side of things we are now more vulnerable than we were. The adoption of cloud, BYOD and employee mobility has made our network perimeter more porous, and to an extent most people now know that a determined attacker will find a way in if they want to. What we need to do is prevent the focused attacker from reaching our key business assets once they are inside. On the security side of things most organisations have multiple solutions, all pumping events into some form of logging and correlation tool – and the amount of information being presented to our security operations teams is now immense. This can lead to problems in identifying what is important from the constant background furore – and things do get missed.

Many of the more public breaches over the past couple of years have been detected early on, but usually as one or more generic events that simply got lost in the background noise. And, given that attackers are getting better at being stealthy – through hiding their communications and more – it is becoming ever harder for us to detect and contain them before they achieve their goals. This is why dwell and contain times are so high.

According to Mandiant’s annual threat report, attackers can go undetected within a victim’s organisation for 205 days on average before they are discovered. According to new research from the Ponemon Institute and Arbor Networks, when it comes to average time to detect a threat there are differences dependent on the organisation vertical, with retailers taking 197 days to identify an advanced threat, compared to 98 days in the financial services industry. These are all big numbers and illustrate a key issue – we need to be disrupting the attacks that matter earlier in their lifecycle.

Interestingly, looking at the Ponemon research mentioned above, 40% of financial and 33% of retail organisations are looking to augment their existing event driver IP processes with a ‘hunting team’ to try and reduce dwell and contain times.

Hunting leverages the capabilities of the real intelligence within security – our people. Humans are very good at pattern recognition and identifying unusual behaviours, especially if they have both some level of familiarity with what they are looking at, and data that is presented in a graphical, easy to interpret way. Our adversaries our human, if we understand what they are looking to get, and how they are likely to get to their target we can ‘hunt’ for changes in network and threat activity that may indicate a compromise that may otherwise have remained undetected.

So what do we need to hunt successfully? Data visualisation is really important here, people are much better at seeing changes in pictures than they are in endless rows and columns of data. Speed is also key; the ‘process’ of hunting should be fairly fluid, if we have to use a complex query language and wait ten minutes – or longer – for a result then we lose the train of thought of the analyst.

Today, in security, we are at the point where we need to be more proactive at identifying and containing threats. Trusting in our technology to identify and prioritise everything for us isn’t always working - autopilots are good at getting planes from A to B, but when there is an emergency the pilot takes over. We still need our event driven IR processes, but if we an augment them with a more proactive, analyst-driven hunting methodology then we stand a better chance of stopping the threats that would otherwise get through.

Read more: The week in security: Aussies atop victim rankings, malware authors down tools

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.

Join the CSO newsletter!

Error: Please check your email address.

Tags employee mobilityBYODcyber attacks​Proactive SecurityMandiantthreat landscapeCSO Australia

More about Arbor NetworksCSOIRSpeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nick Race

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts