Adversaries are Increasingly Masterful at Taking Advantage of Seams Between Technologies and Teams to Infiltrate Organizations
“It’s not a matter of if, but when and how you’ll be attacked” has become the security mantra and the industry is using it as a rallying cry as we innovate to reduce the impact of breaches. For years organizations have relied on a defense-in-depth strategy for protection. Yet despite the multiple point products deployed, the volume and velocity of compromises and breaches continue to increase. There are many reasons why this is occurring, stemming from the fact that we have seams in our defenses. Our layers of protection and our security teams are largely unintegrated and operate in silos.
Adversaries are increasingly masterful at taking advantage of these seams between technologies and teams to infiltrate organizations and remain below the radar. The 2018 Cost of a Data Breach study (PDF) by Ponemon Institute finds the current dwell time has actually increased to 197 days from 191 the year prior. The mean time to contain is now up as well, rising to 69 days from 66. It takes organizations nearly nine months to mitigate risk and get back to business as usual. As timeframes extend, the damage and costs associated with breaches increase.
Because of this trend we’re seeing a greater emphasis on viewing things from the attacker standpoint as we devise ways to accelerate detection and response. Gartner has recently released their first reports on Breach and Attack Simulation (BAS) tools. And MITRE Corporation has rolled out its latest version of the MITRE ATT&CK Enterprise Matrix, a series of frameworks that dive deep into adversaries’ actions once inside an enterprise so defenders can use that information to their advantage.
One of the assets at every security professional’s disposal to help thwart attackers is threat intelligence. Used correctly, threat intelligence can not only help detection and response, but can be the glue to seal the seams and integrate point products into a single security system. The challenge however is how to use threat intelligence more effectively to understand and act upon the highest priority threats facing your organization. Security professionals are drowning in data generated by each layer in their security architecture that creates its own logs and events. They need to sift through the various and numerous Indicators of Compromise (IoCs) throughout all these disparate logs and events. Bad IP addresses and domain names might reveal communication back to a command and control server, exfiltration of data or illegitimate services. Hash values can correspond to specific or malicious files. Network and endpoint artifacts may point to an adversary. All of these indicators can reveal malicious behavior, but security analysts struggle to know what to look for and what to investigate first. Plus, because they are only looking within their point product silo, they can’t see the bigger picture of what is truly happening across the environment.
What’s needed is a central repository, integrated with disparate internal systems, that uses automation to aggregate the data and events generated from those systems with data from external threat feeds and enrich it with context. By turning IoCs into threat intelligence that provides valuable insights, analysts can pivot to tactics, techniques and procedures (TTPs) and the adversaries themselves. Automatically sharing the right intelligence with the right tools at the right time through APIs, further seals the seams between these disparate technologies. Exporting curated threat intelligence directly to your sensor grid, (firewalls, anti-virus, IPS/IDS, web and email security, endpoint detection and response, NetFlow, etc.) allows these tools to generate and apply updated policies to mitigate risk. You can take a proactive and anticipatory approach to defense to more effectively prevent attacks in the future.
Now that you’ve stitched together the seams between security tools, you must also stitch together the seams between teams through better active and passive collaboration and coordination. Most organizations have Security Operations Center (SOC), Incident Response (IR), Risk Management, Vulnerability Management, Endpoint and Network teams, and more. Usually, they don’t work together, much less share information or intelligence. When team members can work in a single environment, sharing the same pool of threat data and evidence, they can conduct investigations collaboratively. Seeing the work of others and sharing insights, they can detect threats faster and even use that knowledge to pivot and accelerate parallel investigations that are separate but related. They can also store a history of investigations, observations and learnings about adversaries and their TTPs which can serve as a centralized memory to facilitate future investigations.
A single, shared environment also allows them to coordinate actions more efficiently and effectively. Managers of all the security teams can see the analysis unfolding which allows them to coordinate tasks between teams and monitor timelines and results. Threat intelligence analysts, SOCs and incident responders can work together to take the right actions faster, reducing the time to response and remediation.
Through automation, collaboration and coordination we can thwart adversaries that exploit the seams between security technologies and teams and even seal the seams in the first place.