Damage Mitigation As The New Defense
Containing the attacker in today's persistent threat environment
This is the second installment in an occasional series on security's new reality.
Any Defense contractor -- and now, a few security vendors -- can tell you that even the best security technology and expertise can't stop a well-funded and determined attacker.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Client Windows Migration: Expert Tips for Application Readiness
That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop attackers at the door to instead trying to lessen the impact of an inevitable hack. The aim is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server -- or merely stopping him from exfiltrating sensitive information.
|Read the other articles in this series on security's new reality:
>> Part 1: Security's New Reality: Assume The Worst
>> Part 2: Damage Mitigation As The New Defense
>> Part 3: Advanced Attacks Call For New Defenses
It's more about containment now, security experts say. Relying solely on perimeter defenses is now passe -- and naively dangerous. "Organizations that are only now coming to the realization that their network perimeters have been compromised are late to the game. Malware ceased being obvious and destructive years ago," says Dave Piscitello, senior security technologist for ICANN. "The criminal application of collected/exfiltrated data is now such an enormous problem that it's impossible to avoid."
Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies. "Security traditionally has been a preventative game, trying to prevent things from happening. What's been going on is people realizing you cannot do 100 percent prevention anymore," says Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research. "So we figured out what we're going to do is limit the damage when prevention fails."
There are certain types of attackers you cannot prevent from getting in if they are determined to do so, says Richard Bejtlich, chief security officer at Mandiant Security. "They will get into your company, but that doesn't mean you should give up," he says.
For organizations like the military that are constantly under siege by cyberattackers, this is nothing new. "Twenty years ago, we thought we could keep these guys out," Bejtlich says. But the Air Force was the first to realize that was not the case after it began instrumenting its networks with custom sensors to detect the attackers, he says. The Air Force quickly realized it wasn't so much a matter of keeping them out, but finding them as quickly as possible and extricating them, he says.
"The military changed from [a strategy] of prevention to one of hunting," Bejtlich says. "This sort of idea has not been widespread."
[ Malware is just a small piece of the puzzle in advanced attacks, and traditional cybercriminals are also getting more 'persistent.' See APT-Type Attack A Moving Target. ]
There are telltale signs that some of the security vendor community is accepting and adapting to this new reality. Some vendors are advancing their tools to work more closely with SIEM products, and others, like FireEye, are expanding their technology. FireEye's new File Malware Protection System (MPS) roots out and kills off malware on an organization's file shares. Then there's the newly commercialized appliance sold by CounterTack that sits inside the organization -- behind the firewall and with the server -- and spies on attacks already in progress. Neal Creighton, chief executive officer at CounterTack, says the attackers are already in there, so you need to fight them in real time by remediating and locking down your assets on the fly.
Security experts say this mindset shift in security has been coming for some time, and has only recently become palpable in the way vendors are marketing their wares and in how enterprises are starting to rethink their traditional defenses.
"The first time I really saw it as a trend was at RSA this year," says Bruce Schneier, CTO at BT Counterpane. "Maybe it's just that all of the attacks in the news are making people realize that this is what's going on. It's not a new idea -- it's just a new trend in companies and in products."
Schneier says he's a "fan" of the trend. "It's reality. It's good to accept this," he says.
Meanwhile, ICANN's Piscitello notes that while the perimeter defense-only strategy is, indeed, dead, focusing solely on minimizing damage is not the answer, either.
"The notion that our only recourse is to focus on minimizing the damage, however, troubles me. It's a concession of defeat. I think this is wrong thinking," Piscitello says. "Would we respond to oil spills by 'only' focusing on minimizing the damage? I'd rather have us adopt a more aggressive strategy where we actively seek out, identify -- and where we discover -- and contain the threat, identify the root cause, and take measures to eliminate or mitigate the threat."
One startup is focusing on the attackers behind sophisticated, targeted attacks. CrowdStrike, which went public prior to the RSA Conference, also operates under the assumption that hackers will, or already have, gotten in. Georg Kurtz, former McAfee CTO and EVP, co-founded CrowdStrike -- which has not yet fully revealed its technology or offerings -- with former McAfee Dmitri Alperovitch, former vice president of threat research at McAfee and now CTO of CrowdStrike.
"The possibility of the bad guys getting in is extremely high," Kurtz says. "When they are in, you have to identify them and minimize the damage ... it's not just determining that someone got in and that there's malware in the environment. It's understanding the adversary's intent; what they are focused on; what they are trying to get to; in some cases, who they are; and more thoughtful defense."
Kurtz's company will employ "big data" to help understand tactics and methods used by the attackers, and gathering that intelligence to help the larger community. "You can convert that electronically into something that will help people protect them against" the attackers, he says.
Big data is one of the main tools security experts point to for helping support a threat/attack containment strategy.
Tim Rains, director of Microsoft Trustworthy Computing, says it's all about being prepared for an attack, and big data holds promise as a tool to face this new world of threats. "Once upon a time I was tech lead of incident response at Microsoft and did a lot of response investigations for customers. In the IR world, you think you've been compromised, you go back and look at all of the audit logs and try to figure out when and where a compromise happened, and build a timeline based on it," Rains says. "Then you can come in and figure out what happened."
Big data would accelerate the detection and offer near-real-time intelligence in an attack, he says. "Instead of artifacts, big data captures and correlates all audit events, looking for anomalies in real time. It's not just a buzzword," he says. He expects the technology to do this to become available in the next three to five years.
Next Page: ABCs of 'containment'