Monitoring To Detect The Persistent Enemies

The common wisdom in security circles is that companies should assume that they have already been breached.

In one recent study, academic researchers from security firm Symantec correlated antivirus and reputation data with a database linking vulnerabilities to malware and found 18 zero-day attacks over a four year period, including 11 attacks that no one had previously known had existed. In addition, attacks remained undiscovered for anywhere from 19 days to 30 months, about 10 months on average.

The research suggests that network defenders are not discovering advanced attacks--particularly those using exploits against unknown vulnerabilities--in a timely manner. While companies should assume that they have already been compromised that does not mean they should be content to allow attackers to have carte blanche within their networks, says Will Gragido, senior manager of RSA's FirstWatch Threat Research.

"It is like detection of cancer, earlier is better, because triaging works better, and the cure had a greater chance of working," he says. "If you wait and ignore those signs, the problem is only going to be more malignant."

No wonder, then, that security vendors are developing monitoring products that can better, and more quickly, pinpoint advanced persistent threats, or APT. Each of the technologies looks to make the most use of information generated by a company's internal systems, marry that with external threat data and deliver it in a way that a security analyst can decipher.

Yet, separating out hints of possible attacks from the noise is difficult at best. Suspicious events--such as devices communicating outside of normal business hours, traffic to Web sites in other countries or downloading a file from a residential IP address--may not be enough to definitively flag a possible attack, but if a system can correlate such events, then attacks can be recognized.

"A key thing to bear in mind is that there is no single indicator of compromise," says Gunter Ollmann, vice president of research for network security firm Damballa. "What is required is a lot of correlation between different events--many of which are suspicious behaviors or unexpected connections--and that correlation and the collection of these types of events will help you arrive at a conclusion that something has happened."

RSA's Netwitness combines log data, network flow information and threat intelligence to attempt to pinpoint attacks in side a network. Damballa's Failsafe uses network information to identify sophisticated attacks inside a customer's network.

[A new prototype system, called Disclosure, expands the view of botnet activity to a wider scale and detects botnet C&C traffic in real-time, inspecting billions of flows of datasets each day. See Hunting Botnets On A Bigger Scale.]

While both companies analyze network traffic and log data to recognize the signs of low-and-slow attacks, other firms--such as FireEye and Triumfant--recognize attacks by the changes they make to host systems. Keeping up with advanced threats used by persistent adversaries requires more defenses than most companies normally deploy, says John Prisco, CEO of security firm Triumfant.

Increasingly, companies are looking at not just a firewall and antivirus, but solutions that can better detect the attacks that get through, he says.

"We are seeing a new defense-in-depth strategy," Prisco says

Having more layers is a good thing, because attackers are always motivated to get a step ahead, says Mike Lloyd, chief technology officer with RedSeal Networks, a networking monitoring firm.

"The problem is that, in chasing anomalies, it is an arms race," he says. "If your system is trying to discover behavior X, the attacker will move to behavior X+1."

Perhaps the biggest weak point in all these systems, however, is that no matter what the technology, companies need a good security analyst who knows how to spot the indicators of compromise as well as the most likely groups threatening their business.

"At the end of the day, regardless of what tools you leverage, the analyst is where the rubber meets the road," says RSA's Gragido. "If the analyst doesn't understand the hallmark or the indicators of the threat actors or advanced attack patterns, then the information itself will be of little value."

The need for analysts, and the relative scarcity of good analysts, led security-intelligence firm Seculert to start offering an analysis-in-the-cloud service. The company's customers can ship their data to Seculert's Sense service, which uses correlation and intelligence generated by the service provider to find likely signs of advanced attacks.

"Each company creates huge amount of data from their current security solutions but they don't have the capability to look into this data ... and find those attacks," said Aviv Raff, chief technology officer for Seculert.

The company believe services like Sense will help its customers better understand the threats inside their networks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.