Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

Don’t Get Caught in the Noise, Focus Your Security on What You can Control

Trying to Focus on Everything at Once is the Same as Focusing on Nothing at All…

Trying to Focus on Everything at Once is the Same as Focusing on Nothing at All…

Data has become the obsession of the security industry. Experts and vendors tell businesses that they need all the threat intelligence, logs, and traces they can get their hands on. In fact, handling all of these raw feeds has become a major “big data” problem. Unfortunately this tsunami of records often obscures sophisticated attacks and can create unwarranted confidence in our ability to detect intrusions.

Attackers also have access to all the same monitoring tools that we use and can test their tools and techniques against them to ensure they stay under the radar. The most sophisticated attackers often use tools and vulnerabilities that have literally never been seen before. Monitoring systems are very hard pressed to recognize and identify these kinds of attacks. Historically attackers have been able to spend months inside a victim’s network before they are discovered, often by a third party.

Part of the problem is that our computing environments are so complex and busy that many kinds of hostile actions can hide in the noise. Smart attackers modulate their activity to mimic normal user behavior. For example, they can use stolen credentials to connect to databases in the same way and from the same computers as the legitimate users.

Cyber Security PrioritiesWe simply cannot rely on monitoring to detect sophisticated attacks in open general computing environments. Because these attackers can go undetected for extended periods of time, they are able to significantly compromise attacked systems before anyone even knows there is a breach. Further compounding this issue is the fact that applications like web browsers are simply too large and complex to be free of easy to find vulnerabilities. The result is hundreds of major security patches released for all of these applications every year trying desperately to keep up with the hackers.

One response to this situation is to create an environment where the detection has a better chance of working and where a failure to detect an attack does not automatically lead to widespread compromise. The statistics show that hackers exploit only a handful of applications which make up the vast majority of attacks. The attacker’s job would be much more difficult if enterprises focused on observing and defending just those few, highly used vulnerable applications attackers hone in on. 

These key applications should be run inside hardened and minimized virtual environments. Doing so provides numerous benefits. 

First, the simplified environment makes monitoring and detection of anomalies much simpler. With only a single application and limited interactions the level of background noise is orders of magnitude lower. In a personal computer almost any activity might reasonably take place but within a hardened and minimized virtual machine only very specific things should ever happen. Anything else quickly becomes an indicator of compromise.

Second, the virtual machine can be robustly isolated from the host environment. The attacker may be able to compromise the application but that need not give them access to the entire computer, files, network, etc. This provides critical protection against the attackers who are able to defeat even the most advanced monitoring. 

Advertisement. Scroll to continue reading.

Third, it makes it possible to eliminate the attacker’s malware and beachhead, again even in cases where they are able to evade monitoring and detection. The entire VM can be wiped and re-created at will because it does not contain documents or other data that needs to be preserved. By resetting the virtual machine to a known good state frequently, the attacker is pushed off the system even if the defenders had no idea they were there.

By focusing on key attack surfaces and architecting systems to maximize the effectiveness of our monitoring efforts we can detect and stop intrusions much more quickly. Trying to focus on everything at once is the same as focusing on nothing at all. By reshaping the battle field to our advantage and being strategic with our detection tools it is possible to gain a substantial advantage against those trying to attack our organizations.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.