Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

Don’t Get Caught in the Noise, Focus Your Security on What You can Control

Trying to Focus on Everything at Once is the Same as Focusing on Nothing at All…

Trying to Focus on Everything at Once is the Same as Focusing on Nothing at All…

Data has become the obsession of the security industry. Experts and vendors tell businesses that they need all the threat intelligence, logs, and traces they can get their hands on. In fact, handling all of these raw feeds has become a major “big data” problem. Unfortunately this tsunami of records often obscures sophisticated attacks and can create unwarranted confidence in our ability to detect intrusions.

Attackers also have access to all the same monitoring tools that we use and can test their tools and techniques against them to ensure they stay under the radar. The most sophisticated attackers often use tools and vulnerabilities that have literally never been seen before. Monitoring systems are very hard pressed to recognize and identify these kinds of attacks. Historically attackers have been able to spend months inside a victim’s network before they are discovered, often by a third party.

Part of the problem is that our computing environments are so complex and busy that many kinds of hostile actions can hide in the noise. Smart attackers modulate their activity to mimic normal user behavior. For example, they can use stolen credentials to connect to databases in the same way and from the same computers as the legitimate users.

Cyber Security PrioritiesWe simply cannot rely on monitoring to detect sophisticated attacks in open general computing environments. Because these attackers can go undetected for extended periods of time, they are able to significantly compromise attacked systems before anyone even knows there is a breach. Further compounding this issue is the fact that applications like web browsers are simply too large and complex to be free of easy to find vulnerabilities. The result is hundreds of major security patches released for all of these applications every year trying desperately to keep up with the hackers.

One response to this situation is to create an environment where the detection has a better chance of working and where a failure to detect an attack does not automatically lead to widespread compromise. The statistics show that hackers exploit only a handful of applications which make up the vast majority of attacks. The attacker’s job would be much more difficult if enterprises focused on observing and defending just those few, highly used vulnerable applications attackers hone in on. 

These key applications should be run inside hardened and minimized virtual environments. Doing so provides numerous benefits. 

First, the simplified environment makes monitoring and detection of anomalies much simpler. With only a single application and limited interactions the level of background noise is orders of magnitude lower. In a personal computer almost any activity might reasonably take place but within a hardened and minimized virtual machine only very specific things should ever happen. Anything else quickly becomes an indicator of compromise.

Advertisement. Scroll to continue reading.

Second, the virtual machine can be robustly isolated from the host environment. The attacker may be able to compromise the application but that need not give them access to the entire computer, files, network, etc. This provides critical protection against the attackers who are able to defeat even the most advanced monitoring. 

Third, it makes it possible to eliminate the attacker’s malware and beachhead, again even in cases where they are able to evade monitoring and detection. The entire VM can be wiped and re-created at will because it does not contain documents or other data that needs to be preserved. By resetting the virtual machine to a known good state frequently, the attacker is pushed off the system even if the defenders had no idea they were there.

By focusing on key attack surfaces and architecting systems to maximize the effectiveness of our monitoring efforts we can detect and stop intrusions much more quickly. Trying to focus on everything at once is the same as focusing on nothing at all. By reshaping the battle field to our advantage and being strategic with our detection tools it is possible to gain a substantial advantage against those trying to attack our organizations.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.