Today’s businesses face the most complex and innovative threat landscape we have ever seen, and unfortunately the bad guys are winning far too often. Deploying additional layers of security and new technologies doesn’t appear to be helping – so what can we do? By augmenting our existing incident response (IP) processes with a more proactive threat-hunting approach, we can counter the inventiveness of our human adversary with the skills of our security analysts – rather than trusting purely in technology to save us.
Over the past few years security and network architectures have evolved. On the network side of things we are now more vulnerable than we were. The adoption of cloud, BYOD and employee mobility has made our network perimeter more porous, and to an extent most people now know that a determined attacker will find a way in if they want to. What we need to do is prevent the focused attacker from reaching our key business assets once they are inside. On the security side of things most organisations have multiple solutions, all pumping events into some form of logging and correlation tool – and the amount of information being presented to our security operations teams is now immense. This can lead to problems in identifying what is important from the constant background furore – and things do get missed.
Many of the more public breaches over the past couple of years have been detected early on, but usually as one or more generic events that simply got lost in the background noise. And, given that attackers are getting better at being stealthy – through hiding their communications and more – it is becoming ever harder for us to detect and contain them before they achieve their goals. This is why dwell and contain times are so high.
According to Mandiant’s annual threat report, attackers can go undetected within a victim’s organisation for 205 days on average before they are discovered. According to new research from the Ponemon Institute and Arbor Networks, when it comes to average time to detect a threat there are differences dependent on the organisation vertical, with retailers taking 197 days to identify an advanced threat, compared to 98 days in the financial services industry. These are all big numbers and illustrate a key issue – we need to be disrupting the attacks that matter earlier in their lifecycle.
Interestingly, looking at the Ponemon research mentioned above, 40% of financial and 33% of retail organisations are looking to augment their existing event driver IP processes with a ‘hunting team’ to try and reduce dwell and contain times.
Hunting leverages the capabilities of the real intelligence within security – our people. Humans are very good at pattern recognition and identifying unusual behaviours, especially if they have both some level of familiarity with what they are looking at, and data that is presented in a graphical, easy to interpret way. Our adversaries our human, if we understand what they are looking to get, and how they are likely to get to their target we can ‘hunt’ for changes in network and threat activity that may indicate a compromise that may otherwise have remained undetected.
So what do we need to hunt successfully? Data visualisation is really important here, people are much better at seeing changes in pictures than they are in endless rows and columns of data. Speed is also key; the ‘process’ of hunting should be fairly fluid, if we have to use a complex query language and wait ten minutes – or longer – for a result then we lose the train of thought of the analyst.
Today, in security, we are at the point where we need to be more proactive at identifying and containing threats. Trusting in our technology to identify and prioritise everything for us isn’t always working - autopilots are good at getting planes from A to B, but when there is an emergency the pilot takes over. We still need our event driven IR processes, but if we an augment them with a more proactive, analyst-driven hunting methodology then we stand a better chance of stopping the threats that would otherwise get through.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here.