Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/24/2013
08:25 PM
50%
50%

To Determine Threat Level, Context Matters

Computers communicating with the Amazon cloud, users logging in after hours, and the risk posed by Java; without context, evaluating threats is nearly impossible

While many security professionals are ready to toss Java--the favored target of attackers' exploitation efforts--out of the enterprise, business decision makers often fall back on classifying the software as a business necessity.

Yet, neither side generally has a good way to evaluate the threat posed by Java, because they lack data on actual use of Java in the business and how often malware incidents are caused by the software, says Michael Viscuso, CEO of Carbon Black, a business and security intelligence firm. In a presentation in early October at the ISSA International Conference, Viscuso showed attendees how one company evaluated their use of Java--72 workers needed it for online-meeting software--versus its relative threat--a handful of malware infections could be traced back to the exploitation of a Java vulnerability.

"Getting that context helps malware hunters find more malware and, at the same time, helps the decision maker know that, if I am going to disable Java across the enterprise, then I need a replacement to appease those 72 people," he says. "Now I can answer questions about the security of the business."

While intelligence on attackers can help companies understand the threat landscape, only when that information is married to a company's specific internal data does it really enable businesses to take a more active role is defending their networks. And combining different sets of business-specific data to find relationships can be build an even stronger context in which to evaluate threats, says Dmitri Alperovitch, co-founder and chief technology officer with CrowdStrike.

"All these different sources of data can help you make a better decisions about what the threat means to your business," he says.

What constitutes context? Different security experts have different definitions. Carbon Black's Viscuso breaks context down into four attributes: Visibility into events on the network, metadata from those events, the frequency the events happen and the ability to track relationships between different events. Much of the time, companies only look at events; perhaps, they combine it with frequency information and metadata; but do they look at the relationship between different events.

"With that approach, you are looking at each event individually, and that means you have to be correct about each event, whether it is something bad or something good," he says. "With relationships, it becomes much more obvious what is good, what is bad and what is a false positive or negative."

[Threat intelligence is only useful if it's tailored to your specific organization. Here are some tips on how to customize. See Creating And Maintaining A Custom Threat Profile.]

Looking at events as snapshots in time hampers companies from finding the threats in their network and evaluating the criticality of those threats, agrees CrowdStrike's Alperovitch.

"You may see anomalous activity on the inside, such as traffic going to a certain IP address or a program downloaded from the Internet, but it really means nothing without context--what adversary you are dealing with," he says.

The first stop to developing better context, however, is to know what is going on inside their own network. That visibility component is the foundation of everything that comes after, says Lance James, head of intelligence for security-services firm Vigilant, a Deloitte company.

"Make sure you get to know your network first," he says. "You should not be getting threat data if you don't know what is going on in your network."

Once a good baseline of visibility is established, the relationship between network traffic, user identity and the company's applications can help the company develop a context in which to evaluate threats, says Will Hayes, chief product officer at LucidWorks, a data-analytics firm.

"If you can quantify the identity, know the session, and you understand the applications, in a broader sense, you can do a whole lot of statistical analysis and find out a lot of interesting things; you would definitely find anomalous behavior," he says.

By building up personas, representations of the company's users and their activities, a company can quickly evaluate any new event within that context and quickly determine if the event poses a threat, Hayes says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
CVE-2021-32244
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
CVE-2021-32245
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
CVE-2021-34201
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
CVE-2021-34203
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...