Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

12/27/2019
09:00 AM
50%
50%

Defensive Wish List for 2020: Faster Responses to Threats

Security professionals recommend technology to detect attacks that have already infiltrated a network.

As students head home for the holidays, Dan Basile knows they are taking their devices with them, and that worries him. 

The executive director of the security operations center at Texas A&M University System, Basile is responsible for keeping students' systems safe and universities' networks secure. It's not an easy job. "My workload skyrockets as the beginning of the semester, because all the students went home, got infected with everything known to man, and then brought it back onto my network," he says. 

For that reason, Basile's wish list is focused on detecting threats already inside the networks — a strategy that he highly recommends for businesses, even if they think they are managing every device connecting to their local networks. Detecting threats between machines inside the network — so-called "East-West" traffic — is crucial to being able to respond to threats quickly, he says.

"Having that East-West visibility is golden because the malware is already in the environment," he says.

As security professionals look to 2020, they have different threat profiles, so also different outlooks on what technologies they want. However, the common theme as the New Year approaches is the ability to react to threats quickly.

The plethora of systems that security analysts have to use is one factor that hampers response, says Richard Rushing, chief information security officer for Motorola Mobility. Security operations centers are currently laboring under the lack of integration between systems, and he sees as a top priority platforms that bring together all the disparate technologies back to a single workstation.

"We should be able to leverage the various APIs to pull all this content together, allowing the data to stay where it needs to stay — no one should need to be doing a massive data lake," he says. 

Here are some other technologies that made security professionals' wish lists:

The triad for faster response

While TAMUS's Basile aims to stop attacks before they infect the network, as the security director in charge of university networks he understands that it is not always possible. Students and professors want freedom to explore — and with that freedom comes risk.

So Basile is mainly focused on implementing two defensive technologies. Traffic inspection systems such as network traffic-analysis and application firewalls allow companies to detect when attacks are coming from systems inside the network perimeter. Endpoint detection and response (EDR) software allows him to quickly see attacks in progress and take steps to blunt any compromise. 

Because Texas A&M is helping Texas stand up an analysis and response center for the state, both types of technology are on Basile's required list for new municipal and county government offices whose security the center will be overseeing.

"As we are bringing on more counties and cities across Texas, we are requiring an EDR or EPP [endpoint protection platform] for every site," he says. "It gives me a better picture and it lets us respond in real-time to incidents."

Get the "R" right

Companies need to go beyond endpoint detection and response, says Motorola's Rushing. The problem is that the actual "R" in EDR and SOAR (security orchestration, automation and response) platforms today is very basic.

"You need to get to the actual R working," he says. "Generating an e-mail to open up a ticket is not accomplishing what I want it to do. You need to get a better response capability."

As more automation is being used by defenders, Rushing sees security teams moving away from simple playbooks and moving toward automated, yet managed, responses. While the actual logic is basic — "if this, then that," would be enough, he says — getting the automated response technology working would be a boon.

Defending against attacker automation

Yet defenders are not the only ones using automation. Attackers are adding automation and machine-learning techniques to their toolboxes, so companies will need to find ways to stymy their operations. 

Bots are one example of a threat that combines the two techniques and which are becoming a staple of attackers — from credential stuffing to advertising fraud, bots help attackers automate their operations. For that reason, bot management services will become a must-have for any company that has Web-facing applications or services, says Sandy Carielli, a principal researcher with business-intelligence firm Forrester Research. 

"Anyone that has a good deal of customer interaction — a static website,  any sort of online store, or if you are relying on advertising traffic — most of the sites on the Internet these days — will need bot management," she says. 

For companies that are paying for traffic — such as advertising or affiliate services — bot-detection products can remove non-human interactions from the mix, saving them money. Customers that use these services will put pressure on their suppliers, and as incentives change, organizations will pay closer attention to metrics of humanness, Carielli says.

"The interesting thing about bot management is the range of stakeholders," she says. "Bots attack e-commerce sites. They are doing ad fraud and credential stuffing."

Related Content

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:41:55 AM
Re: Detecting
Very much agree here. In many cases as businesses, we are hesitant to enact automated response because we are afraid it may block business practice. Which is a valid concern but if testing was more rigorously performed the chance of this becomes nominal.

This is why you will see that IDS is more heavily used when IPS could just as easily be enabled.

I may sound like preaching, but rigorous preliminary testing is the key to automated response. Automated response is the key to being ahead of the adversary.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:38:33 AM
Re: Getting R
Very much the next step above "Next Gen AV". I think theoretically this was the original goal when NGAV was announced but in never hit the expectation of an EDR.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:35:51 AM
Re: Response
Creating a ticket is more of a compliance and security best practice, but in application is not paramount in terms of response. 

It is helpful for logging and back tracking but as for in the moment triage and action I concur, not overly significant. 

That being said, I will always advocate for the creation of a ticket because it is a source of useful information.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:32:53 AM
Re: Bots
Yes, but I would say bots with correlation or an AI element are a more helpful. This allows for decisions to be made with a greater degree of scrutiny and expediency than what a person could produce.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:30:46 AM
Re: Good and bad
Very true. They are like anything really. Regardless of how intelligent they may be, its really more an analysis of the human element that results in how they are used. 

Fire can be used to heat homes or cook food, it can also be used to destroy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:33:57 PM
Good and bad
Bots attack e-commerce sites. They are doing ad fraud and credential stuffing Bots are just a technology, they can be used for good or bad. It is up to us how to utilize them.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:32:09 PM
Bots
For companies that are paying for traffic such as advertising or affiliate services bot-detection products can remove non-human interactions from the mix, Another good point. Bots can really help where we do not have enough resources. Bots do not need to sleep so they will be very useful in cybersecurity.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:29:54 PM
Response
Generating an e-mail to open up a ticket is not accomplishing what I want it to do. You need to get a better response capability. This is really important. Response can not be about creating a ticket. What will we do so it does not happen again.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:28:12 PM
Getting R
Endpoint detection and response (EDR) software allows him to quickly see attacks in progress and take steps to blunt any compromise. I agree. Once detected what we do after that is critical al and defined the success of it. Response.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:26:22 PM
Detecting
Detecting threats between machines inside the network Detecting is critical, more is needed on the defending part of it.
Page 1 / 2   >   >>
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.