Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/24/2013
08:25 PM
50%
50%

To Determine Threat Level, Context Matters

Computers communicating with the Amazon cloud, users logging in after hours, and the risk posed by Java; without context, evaluating threats is nearly impossible

While many security professionals are ready to toss Java--the favored target of attackers' exploitation efforts--out of the enterprise, business decision makers often fall back on classifying the software as a business necessity.

Yet, neither side generally has a good way to evaluate the threat posed by Java, because they lack data on actual use of Java in the business and how often malware incidents are caused by the software, says Michael Viscuso, CEO of Carbon Black, a business and security intelligence firm. In a presentation in early October at the ISSA International Conference, Viscuso showed attendees how one company evaluated their use of Java--72 workers needed it for online-meeting software--versus its relative threat--a handful of malware infections could be traced back to the exploitation of a Java vulnerability.

"Getting that context helps malware hunters find more malware and, at the same time, helps the decision maker know that, if I am going to disable Java across the enterprise, then I need a replacement to appease those 72 people," he says. "Now I can answer questions about the security of the business."

While intelligence on attackers can help companies understand the threat landscape, only when that information is married to a company's specific internal data does it really enable businesses to take a more active role is defending their networks. And combining different sets of business-specific data to find relationships can be build an even stronger context in which to evaluate threats, says Dmitri Alperovitch, co-founder and chief technology officer with CrowdStrike.

"All these different sources of data can help you make a better decisions about what the threat means to your business," he says.

What constitutes context? Different security experts have different definitions. Carbon Black's Viscuso breaks context down into four attributes: Visibility into events on the network, metadata from those events, the frequency the events happen and the ability to track relationships between different events. Much of the time, companies only look at events; perhaps, they combine it with frequency information and metadata; but do they look at the relationship between different events.

"With that approach, you are looking at each event individually, and that means you have to be correct about each event, whether it is something bad or something good," he says. "With relationships, it becomes much more obvious what is good, what is bad and what is a false positive or negative."

[Threat intelligence is only useful if it's tailored to your specific organization. Here are some tips on how to customize. See Creating And Maintaining A Custom Threat Profile.]

Looking at events as snapshots in time hampers companies from finding the threats in their network and evaluating the criticality of those threats, agrees CrowdStrike's Alperovitch.

"You may see anomalous activity on the inside, such as traffic going to a certain IP address or a program downloaded from the Internet, but it really means nothing without context--what adversary you are dealing with," he says.

The first stop to developing better context, however, is to know what is going on inside their own network. That visibility component is the foundation of everything that comes after, says Lance James, head of intelligence for security-services firm Vigilant, a Deloitte company.

"Make sure you get to know your network first," he says. "You should not be getting threat data if you don't know what is going on in your network."

Once a good baseline of visibility is established, the relationship between network traffic, user identity and the company's applications can help the company develop a context in which to evaluate threats, says Will Hayes, chief product officer at LucidWorks, a data-analytics firm.

"If you can quantify the identity, know the session, and you understand the applications, in a broader sense, you can do a whole lot of statistical analysis and find out a lot of interesting things; you would definitely find anomalous behavior," he says.

By building up personas, representations of the company's users and their activities, a company can quickly evaluate any new event within that context and quickly determine if the event poses a threat, Hayes says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.