Analytics // Security Monitoring
10/26/2012
11:35 PM
50%
50%

Monitoring To Detect The Persistent Enemies

Subtle attackers who are after intellectual property are hard to find. Monitoring can help, but a good analyst can help even more

The common wisdom in security circles is that companies should assume that they have already been breached.

In one recent study, academic researchers from security firm Symantec correlated antivirus and reputation data with a database linking vulnerabilities to malware and found 18 zero-day attacks over a four year period, including 11 attacks that no one had previously known had existed. In addition, attacks remained undiscovered for anywhere from 19 days to 30 months, about 10 months on average.

The research suggests that network defenders are not discovering advanced attacks--particularly those using exploits against unknown vulnerabilities--in a timely manner. While companies should assume that they have already been compromised that does not mean they should be content to allow attackers to have carte blanche within their networks, says Will Gragido, senior manager of RSA's FirstWatch Threat Research.

"It is like detection of cancer, earlier is better, because triaging works better, and the cure had a greater chance of working," he says. "If you wait and ignore those signs, the problem is only going to be more malignant."

No wonder, then, that security vendors are developing monitoring products that can better, and more quickly, pinpoint advanced persistent threats, or APT. Each of the technologies looks to make the most use of information generated by a company's internal systems, marry that with external threat data and deliver it in a way that a security analyst can decipher.

Yet, separating out hints of possible attacks from the noise is difficult at best. Suspicious events--such as devices communicating outside of normal business hours, traffic to Web sites in other countries or downloading a file from a residential IP address--may not be enough to definitively flag a possible attack, but if a system can correlate such events, then attacks can be recognized.

"A key thing to bear in mind is that there is no single indicator of compromise," says Gunter Ollmann, vice president of research for network security firm Damballa. "What is required is a lot of correlation between different events--many of which are suspicious behaviors or unexpected connections--and that correlation and the collection of these types of events will help you arrive at a conclusion that something has happened."

RSA's Netwitness combines log data, network flow information and threat intelligence to attempt to pinpoint attacks in side a network. Damballa's Failsafe uses network information to identify sophisticated attacks inside a customer's network.

[A new prototype system, called Disclosure, expands the view of botnet activity to a wider scale and detects botnet C&C traffic in real-time, inspecting billions of flows of datasets each day. See Hunting Botnets On A Bigger Scale.]

While both companies analyze network traffic and log data to recognize the signs of low-and-slow attacks, other firms--such as FireEye and Triumfant--recognize attacks by the changes they make to host systems. Keeping up with advanced threats used by persistent adversaries requires more defenses than most companies normally deploy, says John Prisco, CEO of security firm Triumfant.

Increasingly, companies are looking at not just a firewall and antivirus, but solutions that can better detect the attacks that get through, he says.

"We are seeing a new defense-in-depth strategy," Prisco says

Having more layers is a good thing, because attackers are always motivated to get a step ahead, says Mike Lloyd, chief technology officer with RedSeal Networks, a networking monitoring firm.

"The problem is that, in chasing anomalies, it is an arms race," he says. "If your system is trying to discover behavior X, the attacker will move to behavior X+1."

Perhaps the biggest weak point in all these systems, however, is that no matter what the technology, companies need a good security analyst who knows how to spot the indicators of compromise as well as the most likely groups threatening their business.

"At the end of the day, regardless of what tools you leverage, the analyst is where the rubber meets the road," says RSA's Gragido. "If the analyst doesn't understand the hallmark or the indicators of the threat actors or advanced attack patterns, then the information itself will be of little value."

The need for analysts, and the relative scarcity of good analysts, led security-intelligence firm Seculert to start offering an analysis-in-the-cloud service. The company's customers can ship their data to Seculert's Sense service, which uses correlation and intelligence generated by the service provider to find likely signs of advanced attacks.

"Each company creates huge amount of data from their current security solutions but they don't have the capability to look into this data ... and find those attacks," said Aviv Raff, chief technology officer for Seculert.

The company believe services like Sense will help its customers better understand the threats inside their networks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?