To Thwart Attackers, Measure What Matters

For years the security industry has been focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness. And that still holds true. The more threats we block, the fewer we have to deal with inside the network. We must continue to innovate and work diligently to get that number as close to 100 percent as possible. But that’s the catch.

Even as more effective and sophisticated security defenses emerge to thwart attackers, it has become clear that point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.

Exploit kits, ransomware, and advanced malware are just a few examples of these innovative tactics. Angler is one of the exploit kits to watch. It uses multiple attack vectors including Flash, Java, Microsoft Internet Explorer, and Silverlight vulnerabilities to get inside the network, as well as innovative techniques like domain shadowing [discussed in a previous column] to stay below the radar.

Ransomware has become highly lucrative for hackers as they continually release new variants to dodge defenses. Ransomware operations have matured to the point that they are completely automated through the anonymous web network, Tor, and use encryption to evade detection. And to conceal payment transactions from law enforcement, ransoms are paid in cryptocurrencies. Dridex is a quickly mutating campaign which demonstrates a sophisticated understanding of how to evade security measures. By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments, or referrers. They launch the campaign again, forcing traditional antivirus systems to detect them anew.

The innovation race between attackers and security vendors will continue. And this dynamic creates a significant problem for organizations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel. They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not and cannot work together. History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks. To get a more realistic assessment of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more important: time to detection.

Time to detection (TTD) is the window of time between the first observation of a file and the detection that it is a threat. This gap exists because of these tactics that cybercriminals use to slip through defenses as ‘unknown’ and later exhibit behaviors that are malicious. Based on various reports, the current industry standard for time to detection is 200 days. That’s far too long. By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.

To catch these types of threats retrospective capabilities must become part of our defenses. These include the ability to identify malware that has already penetrated the network, see the file’s trajectory across the enterprise, quarantine affected devices, and remediate.

Retrospective security can only happen with an integrated threat defense that allows multiple security technologies to work together, sharing information to combat multifaceted attacks. An integrated threat defense not only accelerates TTD and response, but also enhances our front line defenses, updating policies as we uncover threats inside the network to eliminate the risk of re-infection.

Of course, stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.