Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM

Defensive Wish List for 2020: Faster Responses to Threats

Security professionals recommend technology to detect attacks that have already infiltrated a network.

As students head home for the holidays, Dan Basile knows they are taking their devices with them, and that worries him. 

The executive director of the security operations center at Texas A&M University System, Basile is responsible for keeping students' systems safe and universities' networks secure. It's not an easy job. "My workload skyrockets as the beginning of the semester, because all the students went home, got infected with everything known to man, and then brought it back onto my network," he says. 

For that reason, Basile's wish list is focused on detecting threats already inside the networks — a strategy that he highly recommends for businesses, even if they think they are managing every device connecting to their local networks. Detecting threats between machines inside the network — so-called "East-West" traffic — is crucial to being able to respond to threats quickly, he says.

"Having that East-West visibility is golden because the malware is already in the environment," he says.

As security professionals look to 2020, they have different threat profiles, so also different outlooks on what technologies they want. However, the common theme as the New Year approaches is the ability to react to threats quickly.

The plethora of systems that security analysts have to use is one factor that hampers response, says Richard Rushing, chief information security officer for Motorola Mobility. Security operations centers are currently laboring under the lack of integration between systems, and he sees as a top priority platforms that bring together all the disparate technologies back to a single workstation.

"We should be able to leverage the various APIs to pull all this content together, allowing the data to stay where it needs to stay — no one should need to be doing a massive data lake," he says. 

Here are some other technologies that made security professionals' wish lists:

The triad for faster response

While TAMUS's Basile aims to stop attacks before they infect the network, as the security director in charge of university networks he understands that it is not always possible. Students and professors want freedom to explore — and with that freedom comes risk.

So Basile is mainly focused on implementing two defensive technologies. Traffic inspection systems such as network traffic-analysis and application firewalls allow companies to detect when attacks are coming from systems inside the network perimeter. Endpoint detection and response (EDR) software allows him to quickly see attacks in progress and take steps to blunt any compromise. 

Because Texas A&M is helping Texas stand up an analysis and response center for the state, both types of technology are on Basile's required list for new municipal and county government offices whose security the center will be overseeing.

"As we are bringing on more counties and cities across Texas, we are requiring an EDR or EPP [endpoint protection platform] for every site," he says. "It gives me a better picture and it lets us respond in real-time to incidents."

Get the "R" right

Companies need to go beyond endpoint detection and response, says Motorola's Rushing. The problem is that the actual "R" in EDR and SOAR (security orchestration, automation and response) platforms today is very basic.

"You need to get to the actual R working," he says. "Generating an e-mail to open up a ticket is not accomplishing what I want it to do. You need to get a better response capability."

As more automation is being used by defenders, Rushing sees security teams moving away from simple playbooks and moving toward automated, yet managed, responses. While the actual logic is basic — "if this, then that," would be enough, he says — getting the automated response technology working would be a boon.

Defending against attacker automation

Yet defenders are not the only ones using automation. Attackers are adding automation and machine-learning techniques to their toolboxes, so companies will need to find ways to stymy their operations. 

Bots are one example of a threat that combines the two techniques and which are becoming a staple of attackers — from credential stuffing to advertising fraud, bots help attackers automate their operations. For that reason, bot management services will become a must-have for any company that has Web-facing applications or services, says Sandy Carielli, a principal researcher with business-intelligence firm Forrester Research. 

"Anyone that has a good deal of customer interaction — a static website,  any sort of online store, or if you are relying on advertising traffic — most of the sites on the Internet these days — will need bot management," she says. 

For companies that are paying for traffic — such as advertising or affiliate services — bot-detection products can remove non-human interactions from the mix, saving them money. Customers that use these services will put pressure on their suppliers, and as incentives change, organizations will pay closer attention to metrics of humanness, Carielli says.

"The interesting thing about bot management is the range of stakeholders," she says. "Bots attack e-commerce sites. They are doing ad fraud and credential stuffing."

Related Content


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/29/2019 | 11:32:41 AM
Defensive Wish List for 2020: Faster Responses to Threats

As students head home for the holidays, Dan Basile knows they are taking their devices with them, and that worries him. 


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
An integer overflow was discovered in YGOPro ygocore v13.51. Attackers can use it to leak the game server thread's memory.
PUBLISHED: 2020-09-23
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.
PUBLISHED: 2020-09-23
A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code.
PUBLISHED: 2020-09-23
A cross-site request forgery (CSRF) vulnerability in Jenkins Lockable Resources Plugin 2.8 and earlier allows attackers to reserve, unreserve, unlock, and reset resources.
PUBLISHED: 2020-09-23
Jenkins Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to configure the plugin.