Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

The Wonder Years: Network Security Needs to Grow Up

Threats, Security Operations, and Scale

Threats, Security Operations, and Scale

It’s no secret that the sophistication of IT threats has increased dramatically over the past several years. This change has caused the entire ecosystem of information security to evolve and adapt in order to keep pace. Security vendors continue to develop new types of visibility and techniques to reveal advanced threats. Coordination across security disciplines and products has become critical to recognize complex, multi-faceted attacks. But probably the most fundamental change (and likely the most unsustainable) is the reliance on human investigation and manual incident response when an enterprise is faced with an advanced threat.

Threat Information SharingOne of the most consistently neglected costs of any security product is not the price or maintenance, but the time and talent required from security staff in order to get the real value out of it. The scarcity of manpower and talent almost always overshadows the scarcity of security budget, and it’s weak spot where advanced threats put the most strain. Almost by definition, advanced threats simply can’t be effectively addressed using a “set it and forget it” approach to security. But worse still, the vast majority of security products focused on advanced threats stop at detecting a threat, which in turn, kicks off an incident response phase. Modern IT incident response requires a set of highly technical skills that is both broad and deep. Advanced traffic analysis, memory forensics and reverse engineering of malware are highly technical disciplines in their own rights, and an enterprise would be lucky to have just one of these experts on staff, much less all three (in reality, more would be needed).

The fundamental problem here is that advanced threats, while “advanced”, are not sufficiently rare. As someone who gets to see a lot of enterprise networks, I can’t recall the last time we completed a full-stack analysis of all traffic and a behavioral analysis of unknown files on the network when we didn’t find both malware that was avoiding traditional controls as well as custom command and control traffic that was doing the same. Simply put, if you look for advanced threats, the odds are very high that you are going to find what you’re looking for. This has led to two very common IT responses, neither of which I find to be particularly tenable. Either security decides to go full-on ostrich with their heads in the sand, refusing to look for threats, or they decide to fight the good fight and climb on the incident response treadmill, where they are almost predetermined to fall short.

Admittedly, this all sounds pretty depressing. The good news is that I don’t think things will stay this way. The issue is that these new approaches to security are in a stage of adolescence. And technical adolescence, like the real thing, is often painful, confusing, and marked by a lack of coordination (sorry for over-sharing). But also like real adolescence, I think we will grow through this phase. To do so, we need to grow to a place where incident response is reserved for the truly exceptional threats, not those that simply slide through outdated security models invented a generation ago.

To make this a reality, two major things need to happen. First, we need to do a better job of stemming the flow of advanced threats upstream.

This can be done in a variety of ways today, and we will surely develop others as we move forward.

For example, better and faster sharing of threat intelligence and signatures can enable a shared level of protection where new threats encountered by one organization can benefit the others. Obviously, we need to be looking beyond just the signatures of the threats to understand how we can substantively reduce our attack surface. As an example, knowing that many drive-by downloads will redirect a victim browser session to a new, custom URL, which is used to deliver a malware payload, we have seen customers develop simple policies to never accept files from unknown or untrusted domains. Customers who have used this simple common-sense approach have seen the number of polymorphic malware events drop to less than one fifth of previously observed levels. This is a simple example, but it shows how, through a bit of creative thinking and coordinated use of security, we can drastically reduce the number of threats that need investigation.

The second major pillar that we need is a better, more automated approach to investigating threat events. The goal is to avoid the need for deep-dive technical analysis by providing automated correlation and mitigation that requires minimal-to-no human intervention. A key area where this is already being done is the coordinated integration of network and end-point security. Advanced threats exist both in the network and on the end-point, and contextual real-time information that spans both ends of security can make many of the very manual and time-intensive investigations much simpler and automated. These integrations of next-generation network and end-point security are already showing up in the market, and are allowing security teams to quickly determine if a newly detected threat was successful, what the scope of the attack was, and what user devices need to be disinfected. Again, we are touching the surface of what is possible here, but it is this type of thinking that will lead us back to a place where is more sustainable.

What I’m proposing her certainly won’t happen overnight. The sharing of advanced threat data and security best practices will need some sort of industry organization to collect, evaluate and distribute this information. Many organizations may be reluctant to share what they find about advanced threats on their networks for a variety of reasons. Some may see knowing how to combat an advanced threat as a competitive advantage while others may see sharing the information as drawing unwanted attention to their network’s vulnerabilities. As for the automation of threat investigation, that will require companies to invest in R&D and product development. But like the awkwardness of adolescence I described above, I’m confident that the security industry will be able to look back on these challenges when it’s a little older and wiser and realize they were necessary because they helped us grow and mature.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.