Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/24/2013
08:25 PM
50%
50%

To Determine Threat Level, Context Matters

Computers communicating with the Amazon cloud, users logging in after hours, and the risk posed by Java; without context, evaluating threats is nearly impossible

While many security professionals are ready to toss Java--the favored target of attackers' exploitation efforts--out of the enterprise, business decision makers often fall back on classifying the software as a business necessity.

Yet, neither side generally has a good way to evaluate the threat posed by Java, because they lack data on actual use of Java in the business and how often malware incidents are caused by the software, says Michael Viscuso, CEO of Carbon Black, a business and security intelligence firm. In a presentation in early October at the ISSA International Conference, Viscuso showed attendees how one company evaluated their use of Java--72 workers needed it for online-meeting software--versus its relative threat--a handful of malware infections could be traced back to the exploitation of a Java vulnerability.

"Getting that context helps malware hunters find more malware and, at the same time, helps the decision maker know that, if I am going to disable Java across the enterprise, then I need a replacement to appease those 72 people," he says. "Now I can answer questions about the security of the business."

While intelligence on attackers can help companies understand the threat landscape, only when that information is married to a company's specific internal data does it really enable businesses to take a more active role is defending their networks. And combining different sets of business-specific data to find relationships can be build an even stronger context in which to evaluate threats, says Dmitri Alperovitch, co-founder and chief technology officer with CrowdStrike.

"All these different sources of data can help you make a better decisions about what the threat means to your business," he says.

What constitutes context? Different security experts have different definitions. Carbon Black's Viscuso breaks context down into four attributes: Visibility into events on the network, metadata from those events, the frequency the events happen and the ability to track relationships between different events. Much of the time, companies only look at events; perhaps, they combine it with frequency information and metadata; but do they look at the relationship between different events.

"With that approach, you are looking at each event individually, and that means you have to be correct about each event, whether it is something bad or something good," he says. "With relationships, it becomes much more obvious what is good, what is bad and what is a false positive or negative."

[Threat intelligence is only useful if it's tailored to your specific organization. Here are some tips on how to customize. See Creating And Maintaining A Custom Threat Profile.]

Looking at events as snapshots in time hampers companies from finding the threats in their network and evaluating the criticality of those threats, agrees CrowdStrike's Alperovitch.

"You may see anomalous activity on the inside, such as traffic going to a certain IP address or a program downloaded from the Internet, but it really means nothing without context--what adversary you are dealing with," he says.

The first stop to developing better context, however, is to know what is going on inside their own network. That visibility component is the foundation of everything that comes after, says Lance James, head of intelligence for security-services firm Vigilant, a Deloitte company.

"Make sure you get to know your network first," he says. "You should not be getting threat data if you don't know what is going on in your network."

Once a good baseline of visibility is established, the relationship between network traffic, user identity and the company's applications can help the company develop a context in which to evaluate threats, says Will Hayes, chief product officer at LucidWorks, a data-analytics firm.

"If you can quantify the identity, know the session, and you understand the applications, in a broader sense, you can do a whole lot of statistical analysis and find out a lot of interesting things; you would definitely find anomalous behavior," he says.

By building up personas, representations of the company's users and their activities, a company can quickly evaluate any new event within that context and quickly determine if the event poses a threat, Hayes says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32716
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
CVE-2021-32717
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
CVE-2021-32712
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32713
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32710
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions o...