We tend to think of cyberattacks in medieval terms: attackers swarm the walls that protect the castle, hammering away with zombie servers strung together like a battering ram of old to execute a distributed denial of service (DDoS) attack.
This still happens. The difference is the zombie servers aren’t just desktop and laptop PCs infected with viruses. They’re also thermostats, dishwashers, fire alarms, and even light bulbs—the group of simple devices that, when networked together, comprise what we call the Internet of Things (IoT). Too many of these devices aren’t protected. Aruba recently surveyed the market and found 84 percent had experienced a breach in their IoT implementations.
What to do?
Rethink security. Instead of building bigger walls, companies need to take a cue from the U.S. government and implement Active Cyber Defense (ACD), a four-tiered architecture that emphasizes continuous monitoring to detect and then deal with existing intruders before they can do too much damage.
On the Network, Time Heals No Wounds
Call it a reality check. Today’s targeted attacks are designed to stay “under the radar” by moving in small, circumspect steps over long periods of time — often with legitimate credentials coopted from a compromised user.
“It’s no longer a matter of if you’ll get breached. It’s a matter of when,” said my colleague, Art Wong, senior vice president and global general manager of enterprise security services for Hewlett Packard Enterprise. Federal IT experts have introduced ACD with this more complex and dangerous threat landscape in mind.
The goal with ACD is to move from being reactive to proactive in dealing with cyber threats while delivering more comprehensive coverage of a constantly changing IT ecosystem. At its core, ACD defines a four-stage pipeline consisting of sensing, sense making, decision making, and action. The overarching goal is to accelerate the progression through the pipeline and automate the stages as much as possible. The better the intelligence in sensing, sense making, and decision making, the more confident and timely the resulting action can be.
ACD at Work: 4 Steps to Building Intelligent, Real-Time Threat Response
As you can see above, ACD is a systematic, 360-degree approach to providing security for the digital workplace that aims to close open loops and make the entire networked ecosystem more secure. Here’s how it works at each stage:
1. Sensing. If properly monitored, the network can act as a massive sensor. Packets, flows, logs, and more provide raw material that good analytics systems (see below) use to detect anomalies. The more insight into the network those analytics have, the more precise and predictive the response architecture can be.
2. Sense-making. This is where giant strides in cybersecurity technology are being made. A new technology called UEBA (User and Entity Behavior Analytics) uses a combination of supervised and unsupervised machine learning models to find and alert against attacks that have evaded real-time defenses. It is only by seeing, aggregating, and interpreting small changes in behavior that these sorts of low-profile attacks get detected before they do damage.
3. Decision-making. With innovative, AI-based analytics raising precision alerts, it is now possible to codify a set of policies that make changes in user and device access to IT infrastructure based on the type of alert and entity affected. This can be as simple as a re-authorization or as aggressive as a quarantine or block. Even modest responses buy time for security analysts, who can then use integrated incident investigation to further diagnose the situation and take further steps.
4. Action. Automated, policy-driven action creates the conditions for closed-loop security. The key is integrating the analytics, sense-making UEBA platforms with programmable systems for implementing policy automatically and responsibly. Striking the right balance between analysis and action can take time, but when done right it’s the perfect setup for organizations that most need intelligent, proportional, real-time threat response.
There’s no simple way to get started with Active Cyber Defense. Security is by nature a balkanized process wherein different products from different vendors must be made to work together flawlessly. Be skeptical of anyone who promises “all-in-one” answers to complex cybersecurity problems, but also be open to integration.
Technical alliances are emerging to combat cybersecurity threats in new and creative ways. For example, Niara recently joined HPE Aruba and is actively working to integrate machine-learning driven UEBA with profiling and the company’s ClearPass policy management to implement ACD network-wide. We won’t be the only ones working on this, of course, and we don’t need to be. Smart security analysts always find a way to stitch together the solutions they need to fight back against attackers.
ACD is what we need now, in an era where perimeter defense isn’t good enough and intrusion detection systems aren’t granular or adaptable enough. New threats are coming every day. Having a process that scans for problems continuously and then learns from the results, in real time, isn’t just the best defense—it’s the only defense.
Larry Lunetta is VP of Marketing for Security Solutions at Aruba, a subsidiary of Hewlett Packard Enterprise. Previously he was VP of Marketing and Business Development at Niara, which provides a groundbreaking UEBA platform for detecting existing threats inside networks. HPE acquired Niara in February.