Trying to Focus on Everything at Once is the Same as Focusing on Nothing at All…
Data has become the obsession of the security industry. Experts and vendors tell businesses that they need all the threat intelligence, logs, and traces they can get their hands on. In fact, handling all of these raw feeds has become a major “big data” problem. Unfortunately this tsunami of records often obscures sophisticated attacks and can create unwarranted confidence in our ability to detect intrusions.
Attackers also have access to all the same monitoring tools that we use and can test their tools and techniques against them to ensure they stay under the radar. The most sophisticated attackers often use tools and vulnerabilities that have literally never been seen before. Monitoring systems are very hard pressed to recognize and identify these kinds of attacks. Historically attackers have been able to spend months inside a victim’s network before they are discovered, often by a third party.
Part of the problem is that our computing environments are so complex and busy that many kinds of hostile actions can hide in the noise. Smart attackers modulate their activity to mimic normal user behavior. For example, they can use stolen credentials to connect to databases in the same way and from the same computers as the legitimate users.
One response to this situation is to create an environment where the detection has a better chance of working and where a failure to detect an attack does not automatically lead to widespread compromise. The statistics show that hackers exploit only a handful of applications which make up the vast majority of attacks. The attacker’s job would be much more difficult if enterprises focused on observing and defending just those few, highly used vulnerable applications attackers hone in on.
These key applications should be run inside hardened and minimized virtual environments. Doing so provides numerous benefits.
First, the simplified environment makes monitoring and detection of anomalies much simpler. With only a single application and limited interactions the level of background noise is orders of magnitude lower. In a personal computer almost any activity might reasonably take place but within a hardened and minimized virtual machine only very specific things should ever happen. Anything else quickly becomes an indicator of compromise.
Second, the virtual machine can be robustly isolated from the host environment. The attacker may be able to compromise the application but that need not give them access to the entire computer, files, network, etc. This provides critical protection against the attackers who are able to defeat even the most advanced monitoring.
Third, it makes it possible to eliminate the attacker’s malware and beachhead, again even in cases where they are able to evade monitoring and detection. The entire VM can be wiped and re-created at will because it does not contain documents or other data that needs to be preserved. By resetting the virtual machine to a known good state frequently, the attacker is pushed off the system even if the defenders had no idea they were there.
By focusing on key attack surfaces and architecting systems to maximize the effectiveness of our monitoring efforts we can detect and stop intrusions much more quickly. Trying to focus on everything at once is the same as focusing on nothing at all. By reshaping the battle field to our advantage and being strategic with our detection tools it is possible to gain a substantial advantage against those trying to attack our organizations.