Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM

Defensive Wish List for 2020: Faster Responses to Threats

Security professionals recommend technology to detect attacks that have already infiltrated a network.

As students head home for the holidays, Dan Basile knows they are taking their devices with them, and that worries him. 

The executive director of the security operations center at Texas A&M University System, Basile is responsible for keeping students' systems safe and universities' networks secure. It's not an easy job. "My workload skyrockets as the beginning of the semester, because all the students went home, got infected with everything known to man, and then brought it back onto my network," he says. 

For that reason, Basile's wish list is focused on detecting threats already inside the networks — a strategy that he highly recommends for businesses, even if they think they are managing every device connecting to their local networks. Detecting threats between machines inside the network — so-called "East-West" traffic — is crucial to being able to respond to threats quickly, he says.

"Having that East-West visibility is golden because the malware is already in the environment," he says.

As security professionals look to 2020, they have different threat profiles, so also different outlooks on what technologies they want. However, the common theme as the New Year approaches is the ability to react to threats quickly.

The plethora of systems that security analysts have to use is one factor that hampers response, says Richard Rushing, chief information security officer for Motorola Mobility. Security operations centers are currently laboring under the lack of integration between systems, and he sees as a top priority platforms that bring together all the disparate technologies back to a single workstation.

"We should be able to leverage the various APIs to pull all this content together, allowing the data to stay where it needs to stay — no one should need to be doing a massive data lake," he says. 

Here are some other technologies that made security professionals' wish lists:

The triad for faster response

While TAMUS's Basile aims to stop attacks before they infect the network, as the security director in charge of university networks he understands that it is not always possible. Students and professors want freedom to explore — and with that freedom comes risk.

So Basile is mainly focused on implementing two defensive technologies. Traffic inspection systems such as network traffic-analysis and application firewalls allow companies to detect when attacks are coming from systems inside the network perimeter. Endpoint detection and response (EDR) software allows him to quickly see attacks in progress and take steps to blunt any compromise. 

Because Texas A&M is helping Texas stand up an analysis and response center for the state, both types of technology are on Basile's required list for new municipal and county government offices whose security the center will be overseeing.

"As we are bringing on more counties and cities across Texas, we are requiring an EDR or EPP [endpoint protection platform] for every site," he says. "It gives me a better picture and it lets us respond in real-time to incidents."

Get the "R" right

Companies need to go beyond endpoint detection and response, says Motorola's Rushing. The problem is that the actual "R" in EDR and SOAR (security orchestration, automation and response) platforms today is very basic.

"You need to get to the actual R working," he says. "Generating an e-mail to open up a ticket is not accomplishing what I want it to do. You need to get a better response capability."

As more automation is being used by defenders, Rushing sees security teams moving away from simple playbooks and moving toward automated, yet managed, responses. While the actual logic is basic — "if this, then that," would be enough, he says — getting the automated response technology working would be a boon.

Defending against attacker automation

Yet defenders are not the only ones using automation. Attackers are adding automation and machine-learning techniques to their toolboxes, so companies will need to find ways to stymy their operations. 

Bots are one example of a threat that combines the two techniques and which are becoming a staple of attackers — from credential stuffing to advertising fraud, bots help attackers automate their operations. For that reason, bot management services will become a must-have for any company that has Web-facing applications or services, says Sandy Carielli, a principal researcher with business-intelligence firm Forrester Research. 

"Anyone that has a good deal of customer interaction — a static website,  any sort of online store, or if you are relying on advertising traffic — most of the sites on the Internet these days — will need bot management," she says. 

For companies that are paying for traffic — such as advertising or affiliate services — bot-detection products can remove non-human interactions from the mix, saving them money. Customers that use these services will put pressure on their suppliers, and as incentives change, organizations will pay closer attention to metrics of humanness, Carielli says.

"The interesting thing about bot management is the range of stakeholders," she says. "Bots attack e-commerce sites. They are doing ad fraud and credential stuffing."

Related Content


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/29/2019 | 11:32:41 AM
Defensive Wish List for 2020: Faster Responses to Threats

As students head home for the holidays, Dan Basile knows they are taking their devices with them, and that worries him. 


Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...
PUBLISHED: 2021-04-15
Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. By gaining con...
PUBLISHED: 2021-04-15
Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read...
PUBLISHED: 2021-04-15
Denial of Service vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to cause a BSoD through suspending a process, modifying the processes memory and restarting it. This is triggered by the hdlphook driver reading invali...
PUBLISHED: 2021-04-15
Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. This is achieved by launching applications, suspending them, modifying the memory and restarting ...