Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/24/2013
08:25 PM
50%
50%

To Determine Threat Level, Context Matters

Computers communicating with the Amazon cloud, users logging in after hours, and the risk posed by Java; without context, evaluating threats is nearly impossible

While many security professionals are ready to toss Java--the favored target of attackers' exploitation efforts--out of the enterprise, business decision makers often fall back on classifying the software as a business necessity.

Yet, neither side generally has a good way to evaluate the threat posed by Java, because they lack data on actual use of Java in the business and how often malware incidents are caused by the software, says Michael Viscuso, CEO of Carbon Black, a business and security intelligence firm. In a presentation in early October at the ISSA International Conference, Viscuso showed attendees how one company evaluated their use of Java--72 workers needed it for online-meeting software--versus its relative threat--a handful of malware infections could be traced back to the exploitation of a Java vulnerability.

"Getting that context helps malware hunters find more malware and, at the same time, helps the decision maker know that, if I am going to disable Java across the enterprise, then I need a replacement to appease those 72 people," he says. "Now I can answer questions about the security of the business."

While intelligence on attackers can help companies understand the threat landscape, only when that information is married to a company's specific internal data does it really enable businesses to take a more active role is defending their networks. And combining different sets of business-specific data to find relationships can be build an even stronger context in which to evaluate threats, says Dmitri Alperovitch, co-founder and chief technology officer with CrowdStrike.

"All these different sources of data can help you make a better decisions about what the threat means to your business," he says.

What constitutes context? Different security experts have different definitions. Carbon Black's Viscuso breaks context down into four attributes: Visibility into events on the network, metadata from those events, the frequency the events happen and the ability to track relationships between different events. Much of the time, companies only look at events; perhaps, they combine it with frequency information and metadata; but do they look at the relationship between different events.

"With that approach, you are looking at each event individually, and that means you have to be correct about each event, whether it is something bad or something good," he says. "With relationships, it becomes much more obvious what is good, what is bad and what is a false positive or negative."

[Threat intelligence is only useful if it's tailored to your specific organization. Here are some tips on how to customize. See Creating And Maintaining A Custom Threat Profile.]

Looking at events as snapshots in time hampers companies from finding the threats in their network and evaluating the criticality of those threats, agrees CrowdStrike's Alperovitch.

"You may see anomalous activity on the inside, such as traffic going to a certain IP address or a program downloaded from the Internet, but it really means nothing without context--what adversary you are dealing with," he says.

The first stop to developing better context, however, is to know what is going on inside their own network. That visibility component is the foundation of everything that comes after, says Lance James, head of intelligence for security-services firm Vigilant, a Deloitte company.

"Make sure you get to know your network first," he says. "You should not be getting threat data if you don't know what is going on in your network."

Once a good baseline of visibility is established, the relationship between network traffic, user identity and the company's applications can help the company develop a context in which to evaluate threats, says Will Hayes, chief product officer at LucidWorks, a data-analytics firm.

"If you can quantify the identity, know the session, and you understand the applications, in a broader sense, you can do a whole lot of statistical analysis and find out a lot of interesting things; you would definitely find anomalous behavior," he says.

By building up personas, representations of the company's users and their activities, a company can quickly evaluate any new event within that context and quickly determine if the event poses a threat, Hayes says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.