Analytics // Security Monitoring
10/26/2012
11:35 PM
50%
50%

Monitoring To Detect The Persistent Enemies

Subtle attackers who are after intellectual property are hard to find. Monitoring can help, but a good analyst can help even more

The common wisdom in security circles is that companies should assume that they have already been breached.

In one recent study, academic researchers from security firm Symantec correlated antivirus and reputation data with a database linking vulnerabilities to malware and found 18 zero-day attacks over a four year period, including 11 attacks that no one had previously known had existed. In addition, attacks remained undiscovered for anywhere from 19 days to 30 months, about 10 months on average.

The research suggests that network defenders are not discovering advanced attacks--particularly those using exploits against unknown vulnerabilities--in a timely manner. While companies should assume that they have already been compromised that does not mean they should be content to allow attackers to have carte blanche within their networks, says Will Gragido, senior manager of RSA's FirstWatch Threat Research.

"It is like detection of cancer, earlier is better, because triaging works better, and the cure had a greater chance of working," he says. "If you wait and ignore those signs, the problem is only going to be more malignant."

No wonder, then, that security vendors are developing monitoring products that can better, and more quickly, pinpoint advanced persistent threats, or APT. Each of the technologies looks to make the most use of information generated by a company's internal systems, marry that with external threat data and deliver it in a way that a security analyst can decipher.

Yet, separating out hints of possible attacks from the noise is difficult at best. Suspicious events--such as devices communicating outside of normal business hours, traffic to Web sites in other countries or downloading a file from a residential IP address--may not be enough to definitively flag a possible attack, but if a system can correlate such events, then attacks can be recognized.

"A key thing to bear in mind is that there is no single indicator of compromise," says Gunter Ollmann, vice president of research for network security firm Damballa. "What is required is a lot of correlation between different events--many of which are suspicious behaviors or unexpected connections--and that correlation and the collection of these types of events will help you arrive at a conclusion that something has happened."

RSA's Netwitness combines log data, network flow information and threat intelligence to attempt to pinpoint attacks in side a network. Damballa's Failsafe uses network information to identify sophisticated attacks inside a customer's network.

[A new prototype system, called Disclosure, expands the view of botnet activity to a wider scale and detects botnet C&C traffic in real-time, inspecting billions of flows of datasets each day. See Hunting Botnets On A Bigger Scale.]

While both companies analyze network traffic and log data to recognize the signs of low-and-slow attacks, other firms--such as FireEye and Triumfant--recognize attacks by the changes they make to host systems. Keeping up with advanced threats used by persistent adversaries requires more defenses than most companies normally deploy, says John Prisco, CEO of security firm Triumfant.

Increasingly, companies are looking at not just a firewall and antivirus, but solutions that can better detect the attacks that get through, he says.

"We are seeing a new defense-in-depth strategy," Prisco says

Having more layers is a good thing, because attackers are always motivated to get a step ahead, says Mike Lloyd, chief technology officer with RedSeal Networks, a networking monitoring firm.

"The problem is that, in chasing anomalies, it is an arms race," he says. "If your system is trying to discover behavior X, the attacker will move to behavior X+1."

Perhaps the biggest weak point in all these systems, however, is that no matter what the technology, companies need a good security analyst who knows how to spot the indicators of compromise as well as the most likely groups threatening their business.

"At the end of the day, regardless of what tools you leverage, the analyst is where the rubber meets the road," says RSA's Gragido. "If the analyst doesn't understand the hallmark or the indicators of the threat actors or advanced attack patterns, then the information itself will be of little value."

The need for analysts, and the relative scarcity of good analysts, led security-intelligence firm Seculert to start offering an analysis-in-the-cloud service. The company's customers can ship their data to Seculert's Sense service, which uses correlation and intelligence generated by the service provider to find likely signs of advanced attacks.

"Each company creates huge amount of data from their current security solutions but they don't have the capability to look into this data ... and find those attacks," said Aviv Raff, chief technology officer for Seculert.

The company believe services like Sense will help its customers better understand the threats inside their networks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!