To Determine Threat Level, Context Matters
Computers communicating with the Amazon cloud, users logging in after hours, and the risk posed by Java; without context, evaluating threats is nearly impossible
While many security professionals are ready to toss Java--the favored target of attackers' exploitation efforts--out of the enterprise, business decision makers often fall back on classifying the software as a business necessity.
Yet, neither side generally has a good way to evaluate the threat posed by Java, because they lack data on actual use of Java in the business and how often malware incidents are caused by the software, says Michael Viscuso, CEO of Carbon Black, a business and security intelligence firm. In a presentation in early October at the ISSA International Conference, Viscuso showed attendees how one company evaluated their use of Java--72 workers needed it for online-meeting software--versus its relative threat--a handful of malware infections could be traced back to the exploitation of a Java vulnerability.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Simple, Effective Patch Management: From Dilemma to Done Deed
- Thwart off Application-Based Security Exploits: Protect Against Zero-Day Attacks, Malware, Advanced Persistent Threats
"Getting that context helps malware hunters find more malware and, at the same time, helps the decision maker know that, if I am going to disable Java across the enterprise, then I need a replacement to appease those 72 people," he says. "Now I can answer questions about the security of the business."
While intelligence on attackers can help companies understand the threat landscape, only when that information is married to a company's specific internal data does it really enable businesses to take a more active role is defending their networks. And combining different sets of business-specific data to find relationships can be build an even stronger context in which to evaluate threats, says Dmitri Alperovitch, co-founder and chief technology officer with CrowdStrike.
"All these different sources of data can help you make a better decisions about what the threat means to your business," he says.
What constitutes context? Different security experts have different definitions. Carbon Black's Viscuso breaks context down into four attributes: Visibility into events on the network, metadata from those events, the frequency the events happen and the ability to track relationships between different events. Much of the time, companies only look at events; perhaps, they combine it with frequency information and metadata; but do they look at the relationship between different events.
"With that approach, you are looking at each event individually, and that means you have to be correct about each event, whether it is something bad or something good," he says. "With relationships, it becomes much more obvious what is good, what is bad and what is a false positive or negative."
[Threat intelligence is only useful if it's tailored to your specific organization. Here are some tips on how to customize. See Creating And Maintaining A Custom Threat Profile.]
Looking at events as snapshots in time hampers companies from finding the threats in their network and evaluating the criticality of those threats, agrees CrowdStrike's Alperovitch.
"You may see anomalous activity on the inside, such as traffic going to a certain IP address or a program downloaded from the Internet, but it really means nothing without context--what adversary you are dealing with," he says.
The first stop to developing better context, however, is to know what is going on inside their own network. That visibility component is the foundation of everything that comes after, says Lance James, head of intelligence for security-services firm Vigilant, a Deloitte company.
"Make sure you get to know your network first," he says. "You should not be getting threat data if you don't know what is going on in your network."
Once a good baseline of visibility is established, the relationship between network traffic, user identity and the company's applications can help the company develop a context in which to evaluate threats, says Will Hayes, chief product officer at LucidWorks, a data-analytics firm.
"If you can quantify the identity, know the session, and you understand the applications, in a broader sense, you can do a whole lot of statistical analysis and find out a lot of interesting things; you would definitely find anomalous behavior," he says.
By building up personas, representations of the company's users and their activities, a company can quickly evaluate any new event within that context and quickly determine if the event poses a threat, Hayes says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.