Signs Of A Shift To Intel-Driven Defense

Organizations such as AIG move away from operations-based to intelligence-driven security strategies, emerging technologies
The first two minutes of a cyberattack are crucial -- that's when the attacker sets up camp and downloads additional malware to dig in and establish a firm foothold in the victim organization's network. But traditional malware detection technologies typically can't keep up with that tight of a deadline, nor are the network and endpoint security systems in sync to catch it that quickly.

It's no wonder many organizations don't learn they've been breached for months or even years after the fact, as was revealed in Verizon's new Data Breach Investigations Report, with close to 70 percent finding out from a third party that they've been hit. Some security vendors are taking a different tack and making the endpoint -- the typical initial target -- better capable of quickly detecting and thwarting damage, such as bot infiltrations, stolen data, or widespread malware infections, amid the new reality that attacks today are basically inevitable.

The newly announced integration between Bit9's endpoint security software with FireEye's and Palo Alto Networks' threat detection products is the latest example of a shift toward making the endpoint a key piece of the defense. Palo Alto Networks struck a similar deal with Mandiant earlier this year, and CounterTack in February rolled out what it calls a honeypot for the endpoint for catching and gleaning intelligence from attacks on client machines.

Security experts say security has been a siloed operation for too long, and any interoperation or integration among various vendors' products can help -- such as sharing information between the network and endpoint security tools. Not only that, but most large organizations have been focused on putting out fires rather than really understanding what attackers are after.

"If you have these advanced network defense tools and they don't have their own play on the endpoint, nothing can identify the target," says Scott Crawford, managing research director, security and risk management, at Enterprise Management Associates. "Why not engage what you have on the endpoint?"

Bit9's new Connector tool for FireEye and Palo Alto was the result of pressure from large customers who have products from all three vendors and were looking for better integration among the tools and better intelligence on attack attempts against them.

Brian Hazzard, vice president of product management for Bit9, says the new Bit9 Connector for FireEye and for Palo Alto Networks lets Bit9 identify the machines infected with the malware that the FireEye and Palo Alto tools find. "The vision was to combine network security with endpoint defense to help our common customers combat these [threats]," Hazzard says.

[Most organizations today aren't investing in the same kind of visibility and control over their endpoint devices as they spend on network-based controls. See Gathering More Security Data From Your Endpoints.]

Attackers increasingly have benefited from, and ultimately capitalized on, the way endpoint and network security have traditionally operated separately. "The reality is that we have gotten to the point where both network-based defense and endpoint defense need to evolve together. One without the other creates a gap where things can sneak through," says Wade Williamson, senior security analyst with Palo Alto Networks. "If you have perfect visibility into the network, you still need to correlate with what is going on at the endpoint."

Palo Alto and Mandiant in February announced that Mandiant's new appliance-based Security Operations product and endpoint agents would be integrated with Palo Alto Networks' next-generation firewalls and WildFire malware prevention service. "We'll be picking up the indicators of compromise, such as what changes are in the registry, and what files are created," Williamson says of the deal with Mandiant.

AIG Traps Attackers
Meanwhile, large enterprises are gradually shifting gears from operational security mode to intelligence-based security. Take insurance giant AIG, which is running a small but soon-to-be-expanded deployment of CounterTack Scout endpoint honeypots in its U.S. data centers. Paul de Graaff, the former global CISO for AIG, says a year-and-a-half ago, the concept of an intelligence model for security was "a foreign concept" and intelligence was all about SIEM.

AIG was looking for better visibility into threats and wanted to employ a more intelligent security architecture. "We came out of the financial crisis, and the security side, we started centralizing and visualizing a lot of the IT infrastructure, and it became apparent there were things happening to AIG and we didn't have as much visibility as we wanted," de Graaff says. "It was not so much targeted stuff -- we saw a lot of generic [threats]," he says.

"We were very operations-focused, so we moved more toward an intelligence-focused [approach]," he says. "Having to convince the IT organization we needed to deal with this more ... was a big sell. On the business side, to actually have honeypots sitting in our environment attracting [attackers] was a big thing. We're interested in what they are after -- source code or claims system," for example, he says.

AIG now can analyze a malware sample that hits the endpoint and discern what the attackers are after, de Graaff says. "We make that decision very quickly. We try to fence them in so they can't exfiltrate," he says.

The key selling point is that that kind of intel helps the company better plan its technology investments based on risk, he says. So far, the main threats AIG has found with the CounterTack endpoint honeypot is attackers searching for customer information, he says. But like many other big companies, AIG eventually will be the target of cyberspies as well, he says.

"You can't stop attackers from getting in. Once they do get in, there are so many things they can do," says Neal Creighton, CEO at CounterTack. "The attacker does all of the initial beachhead work in the first 120 seconds," so stopping them within that time frame is ideal for mitigating the damage and preventing theft of data, he says.

CounterTack's approach is different from Bit9's in that it is more about studying the attacker's moves and analyzing it than blocking malware or other badness. "It's like having a camera over the attacker's shoulder," Creighton says. "We're not doing a lot of blocking ... we're taking data and shifting it to analysis. It's designed to watch the attacker."

Bit9's Connector analyzes the malware and also blocks it. In the case of its integration with Palo Alto Networks, for instance, Bit9 grabs any malware from an endpoint or server for Palo Alto to analyze and, if necessary, block.

"When FireEye or Palo Alto catch malware on the network, they generate alerts," Bit9's Hazzard says. "We'll automatically enforce policy ... and drive detonation based on what we see on the endpoint."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.