Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

To Thwart Attackers, Measure What Matters

For years the security industry has been focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness. And that still holds true. The more threats we block, the fewer we have to deal with inside the network. We must continue to innovate and work diligently to get that number as close to 100 percent as possible. But that’s the catch.

For years the security industry has been focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness. And that still holds true. The more threats we block, the fewer we have to deal with inside the network. We must continue to innovate and work diligently to get that number as close to 100 percent as possible. But that’s the catch.

Even as more effective and sophisticated security defenses emerge to thwart attackers, it has become clear that point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.

Exploit kits, ransomware, and advanced malware are just a few examples of these innovative tactics. Angler is one of the exploit kits to watch. It uses multiple attack vectors including Flash, Java, Microsoft Internet Explorer, and Silverlight vulnerabilities to get inside the network, as well as innovative techniques like domain shadowing [discussed in a previous column] to stay below the radar.

Ransomware has become highly lucrative for hackers as they continually release new variants to dodge defenses. Ransomware operations have matured to the point that they are completely automated through the anonymous web network, Tor, and use encryption to evade detection. And to conceal payment transactions from law enforcement, ransoms are paid in cryptocurrencies. Dridex is a quickly mutating campaign which demonstrates a sophisticated understanding of how to evade security measures. By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments, or referrers. They launch the campaign again, forcing traditional antivirus systems to detect them anew.

The innovation race between attackers and security vendors will continue. And this dynamic creates a significant problem for organizations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel. They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not and cannot work together. History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks. To get a more realistic assessment of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more important: time to detection.

Time to detection (TTD) is the window of time between the first observation of a file and the detection that it is a threat. This gap exists because of these tactics that cybercriminals use to slip through defenses as ‘unknown’ and later exhibit behaviors that are malicious. Based on various reports, the current industry standard for time to detection is 200 days. That’s far too long. By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.

To catch these types of threats retrospective capabilities must become part of our defenses. These include the ability to identify malware that has already penetrated the network, see the file’s trajectory across the enterprise, quarantine affected devices, and remediate.

Retrospective security can only happen with an integrated threat defense that allows multiple security technologies to work together, sharing information to combat multifaceted attacks. An integrated threat defense not only accelerates TTD and response, but also enhances our front line defenses, updating policies as we uncover threats inside the network to eliminate the risk of re-infection.

Advertisement. Scroll to continue reading.

Of course, stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.