Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Why Advanced Attack Campaigns Like Security Silos

Think of the major cyber-attacks from the past few years – the Sony hack, Target breach, Neiman Marcus, Snapchat Breach, H

Think of the major cyber-attacks from the past few years – the Sony hack, Target breach, Neiman Marcus, Snapchat Breach, Home Depot breach, or PayPal Hack. If you examine the common denominator between these attacks (and many other, less-known security breaches), you’ll notice two things. The first is well known – attacks have become sustained and highly targeted. Secondly, attacks thrive on security silos.

Advanced Attack Campaigns

First, let me quickly characterize the term ‘Advanced attack campaign’. These type of attacks will always involve an entity with a focused target and high motivation. Attackers are well-organized, have high security expertise, and are patient and persistent in identifying and implementing the optimal attack strategy by collaborating with multiple players.

Advanced attack campaigns are typically multi-vector, prolonged and adaptive to the defenses they encounter – unlike the defending side, which is inherently more rigid and structured around products and security solution silos.

Security Silos – a Sweet Spot for Attackers

Advanced Attack CampaignsA typical large enterprise may have anywhere between 50-60 different security products and solutions deployed. Covering the entire security spectrum – intrusion prevention, anti-malware, network and user behavior analysis, WAF, and more – these products generate hundreds or thousands of alerts on a daily basis, creating quite a few challenges.

• Each security vendor uses a different technology, resulting in different type of alerts and making it difficult to keep up with the required talent and expertise.

• Solution are delivered as stand-alone silos. With no integration between products’ security functions, effective contextual analysis is simply not possible.

• The large number of tools, as well as the need to constantly maintain policies up to date, increase the potential for misconfigurations or outdate policies, creating a false sense of security.

• The typical, siloed IT organizational structure makes it difficult for SOC teams to enforce the required actions, when most of the actionable network operations are under the responsibility of different groups.

This siloed security structure presents an opportunity for advanced attack campaigns. While SoC teams are occupied sifting through endless alerts and logs, with no real-time visibility and understanding of the “big-picture”, attackers can exploit dead spots and misconfigurations to sneak between security policies.

If you take a look at STIX, the collaborative effort to characterize cyber threats and specify attack, you’ll notice that attacks span across security functions. In the Target breach, more than 11 steps were taken by attackers.

Security Silos Breakdown – 4 Approaches

Recently I had the opportunity to speak to several CISO at large enterprises and Telco’s. Here are four possible methods that came up during our talks for addressing vulnerabilities resulting from security silos.

1. Consolidating security solutions using a small number of vendors. The idea is that by having less vendors, some of the issues mentioned above may be solved, since products arriving from a single vendor are better integrated. However, this approach is rejected by many CISOs since they don’t like to “color” their entire network with one or two vendors. A vendor-lock has some obvious and serious disadvantages for any organization. Personally, I tend to agree with this argument.

2. IT fusion. This is a promising initiative that aims to consolidate different IT groups such as network operations, applications security, Netsec teams, SoC, Audit, and others. Uniting multiple groups into a single entity can results in more coordinated and efficient work with faster response times.

3. Orchestration and automation systems. While the IT fusion strategy is a good one, it cannot help on its own to cope with advanced attack campaigns. It must be supported by orchestration and automation tools that enable executing security actions across the network. Such systems also amplify the investments already made in existing security infrastructure by most the large enterprises.

4. Aligning security policies with intent. Orchestration and automation is a great efficiency improvement, yet if security policies are misconfigured, they will not help much. Automation should be complemented with the ability to analyze and cover gaps or security holes between security intent and the policies of each security product.

For example, point of sales elements should be examined with a security policy focused on memory scarping malware and network data-leak behavior patterns, and less on DoS, brute force, social engineering and probe activities. Or another example – customer facing web services should be examined via policies focused on brute-force, DoS and injection type attacks, and less on social engineering, data-leak network patterns etc.

Organizational and security product silos are not likely to disappear anytime soon. As security professionals our first step is to recognize the vulnerabilities they create, and then select the appropriate methods to gain insight, fill in the gaps and be able respond quicker to minimize risks. We should ensure that the IT fusion strategies implemented in larger organization are supplemented with technologies that will allow them to succeed.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...