Adversaries Know Our Security Infrastructure is Fragmented and Take Advantage of Blind Spots to Stay Below the Radar
Approximately 30 years ago, Dr. Persi Diaconis discovered that it takes seven shuffles to mix a deck of cards thoroughly so that the order of the cards is random. Since then, others have continued this research and now find the number of times you need to shuffle can be much higher depending on the technique used. The point is, it takes some work to create “randomness” – a lack of pattern or predictability. It really isn’t as easy as most of us think.
Similarly, when we talk about security and the whack-a-mole phenomenon, it’s common to think that we’re facing an endless, random cycle of new threats popping up continuously. When, in fact, there may be very little that’s random about it. Chances are, threat actors aren’t going through the work of continuously creating entirely new attack campaigns. They’re using tools and tactics over and over again – and successfully accomplishing their missions for two main reasons.
First, threat actors know our security infrastructure is fragmented. Our layers of protection and security teams are largely unintegrated and operate in silos, so we have little visibility into what is truly happening across the environment. Adversaries take advantage of these blind spots to stay below the radar.
Second, because each layer in the security architecture creates its own logs and events, security professionals are drowning in data. Every indicator can reveal malicious behavior, but security analysts struggle to know where to begin. On the surface, each alert or indicator of compromise appears to be self-contained and “random”. In reality, it’s much more likely that threat actors are leaving a trail of breadcrumbs that security teams can use to their advantage to detect and stop an attack.
To shift the balance of power, we need to find a way to integrate tools and teams so that we can overcome the limitations of fragmentation. This requires aggregating data from disparate systems so we can analyze, understand and act on it faster. Most organizations have more internal system data than they know what to do with from sources including the security information and event management (SIEM) system, log management repository, case management systems and security infrastructure. On top of that, threat intelligence must be considered. Analysts are bombarded with millions of threat-focused data points from multiple data feeds, some from commercial sources, some open source, some industry and some from their existing security vendors.
Having a platform that serves as a central repository allows you to aggregate internal threat and event data with external threat feeds and normalize that data so that it is in a usable format. By augmenting and enriching information from inside your environment with external threat intelligence about indicators, adversaries and their methods, you can start to connect the dots and see a broader picture of what’s happening across the environment. You have the capacity now to discover if, and how, seemingly random alerts and indicators are linked and gain threat intelligence that may point to a single campaign targeting your organization.
This is a huge step forward in shifting the balance of power, but it still isn’t enough. With the frequency and costs of malicious breaches continuing to rise, as discovered in the 2019 Cost of a Data Breach Report, you need to be able focus your efforts so you can detect and respond to high-risk threats faster. This requires that the platform also allow you to prioritize based on relevance to your environment. But what is relevant to one company may not be relevant to another.
Some threat intelligence providers publish “global” risk scores based on their own research, visibility and proprietary methods. However, because these scores are not specific to an organization or even an industry, you can’t take them at face value. You need the ability to customize scores based on your own set of scoring parameters. These parameters are driven by multiple factors, including: indicator source, type and attributes or context, as well as adversary attributes. The ability to customize threat intelligence scores allows you to prioritize what is relevant to your organization and reevaluate and reprioritize as new data, context and learnings become available.
Using threat intelligence to help integrate tools and teams, and prioritization so you know what to investigate first, allows you to focus resources on the greatest risks. Threat actors can no longer hide behind a façade of randomness. And you can execute very purposeful acts of security.