Threats, Security Operations, and Scale
It’s no secret that the sophistication of IT threats has increased dramatically over the past several years. This change has caused the entire ecosystem of information security to evolve and adapt in order to keep pace. Security vendors continue to develop new types of visibility and techniques to reveal advanced threats. Coordination across security disciplines and products has become critical to recognize complex, multi-faceted attacks. But probably the most fundamental change (and likely the most unsustainable) is the reliance on human investigation and manual incident response when an enterprise is faced with an advanced threat.
One of the most consistently neglected costs of any security product is not the price or maintenance, but the time and talent required from security staff in order to get the real value out of it. The scarcity of manpower and talent almost always overshadows the scarcity of security budget, and it’s weak spot where advanced threats put the most strain. Almost by definition, advanced threats simply can’t be effectively addressed using a “set it and forget it” approach to security. But worse still, the vast majority of security products focused on advanced threats stop at detecting a threat, which in turn, kicks off an incident response phase. Modern IT incident response requires a set of highly technical skills that is both broad and deep. Advanced traffic analysis, memory forensics and reverse engineering of malware are highly technical disciplines in their own rights, and an enterprise would be lucky to have just one of these experts on staff, much less all three (in reality, more would be needed).
The fundamental problem here is that advanced threats, while “advanced”, are not sufficiently rare. As someone who gets to see a lot of enterprise networks, I can’t recall the last time we completed a full-stack analysis of all traffic and a behavioral analysis of unknown files on the network when we didn’t find both malware that was avoiding traditional controls as well as custom command and control traffic that was doing the same. Simply put, if you look for advanced threats, the odds are very high that you are going to find what you’re looking for. This has led to two very common IT responses, neither of which I find to be particularly tenable. Either security decides to go full-on ostrich with their heads in the sand, refusing to look for threats, or they decide to fight the good fight and climb on the incident response treadmill, where they are almost predetermined to fall short.
Admittedly, this all sounds pretty depressing. The good news is that I don’t think things will stay this way. The issue is that these new approaches to security are in a stage of adolescence. And technical adolescence, like the real thing, is often painful, confusing, and marked by a lack of coordination (sorry for over-sharing). But also like real adolescence, I think we will grow through this phase. To do so, we need to grow to a place where incident response is reserved for the truly exceptional threats, not those that simply slide through outdated security models invented a generation ago.
To make this a reality, two major things need to happen. First, we need to do a better job of stemming the flow of advanced threats upstream.
This can be done in a variety of ways today, and we will surely develop others as we move forward.
For example, better and faster sharing of threat intelligence and signatures can enable a shared level of protection where new threats encountered by one organization can benefit the others. Obviously, we need to be looking beyond just the signatures of the threats to understand how we can substantively reduce our attack surface. As an example, knowing that many drive-by downloads will redirect a victim browser session to a new, custom URL, which is used to deliver a malware payload, we have seen customers develop simple policies to never accept files from unknown or untrusted domains. Customers who have used this simple common-sense approach have seen the number of polymorphic malware events drop to less than one fifth of previously observed levels. This is a simple example, but it shows how, through a bit of creative thinking and coordinated use of security, we can drastically reduce the number of threats that need investigation.
The second major pillar that we need is a better, more automated approach to investigating threat events. The goal is to avoid the need for deep-dive technical analysis by providing automated correlation and mitigation that requires minimal-to-no human intervention. A key area where this is already being done is the coordinated integration of network and end-point security. Advanced threats exist both in the network and on the end-point, and contextual real-time information that spans both ends of security can make many of the very manual and time-intensive investigations much simpler and automated. These integrations of next-generation network and end-point security are already showing up in the market, and are allowing security teams to quickly determine if a newly detected threat was successful, what the scope of the attack was, and what user devices need to be disinfected. Again, we are touching the surface of what is possible here, but it is this type of thinking that will lead us back to a place where is more sustainable.
What I’m proposing her certainly won’t happen overnight. The sharing of advanced threat data and security best practices will need some sort of industry organization to collect, evaluate and distribute this information. Many organizations may be reluctant to share what they find about advanced threats on their networks for a variety of reasons. Some may see knowing how to combat an advanced threat as a competitive advantage while others may see sharing the information as drawing unwanted attention to their network’s vulnerabilities. As for the automation of threat investigation, that will require companies to invest in R&D and product development. But like the awkwardness of adolescence I described above, I’m confident that the security industry will be able to look back on these challenges when it’s a little older and wiser and realize they were necessary because they helped us grow and mature.
