Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/13/2013
09:29 PM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
LinkedIn
RSS
E-Mail
50%
50%

You've Been Hacked, But For How Long?

One of the big themes at the recent RSA Conference was awareness of threats already inside the network. The way you learn about these threats and lower your ‘Mean Time To Know’ (MTTW) about an intrusion is with profile-based network monitoring

I first heard the term MTTK for "Mean Time To Know" at the recent RSA Conference. In fact, I heard it a few times, and it struck me as one of the few larger themes of a show that always has lot of different things going on.

But there had been big news in the weeks before about hacks of newspapers, the hacks being attributed to China. One of the interesting parts of the news was that some of the organizations had been compromised for many months and didn't know.

This is what MTTK refers to: How long is it from when you are compromised to when you find out about it? Part of the message is to admit that you will be compromised. No perimeter or endpoint defense is impenetrable. All good security planning involves layers of security, and one angle on this is to plan on detecting intrusions after hackers have gotten in. A low MTTK is good. One of the intrusions attributed to the Chinese People's Liberation Army Unit 61398 was in place for four years and 10 months. That's a big MTTK.

How do you detect intrusions after they've already passed your anti-intrusion measures? The answer is network monitoring, which is why I heard the term from network monitoring companies like Lancope, with its StealthWatch system, and Fluke, with Visual TruView. Solera DeepSee also takes this approach.

The idea is that APTs resident in your network do things that should be identifiable as suspicious, like opening SSL sessions on nonstandard ports. Some of these products will automatically create profiles of network traffic in order to identify what is normal. Then when something out of the ordinary happens, it's time to alert the administrators.

Obviously the systems have become more sophisticated over the years, especially the analytics, but the basic idea of MTTK isn't new. Here's an 8-year-old Cisco presentation on Netflow. It asks, "What is an anomaly?" The answer:

  • An event or condition in the network that is identified as a statistical abnormality when compared to typical traffic patterns gleaned from previously collected profiles and baselines.
  • NetFlow allows the user to identify anomalies by producing detailed accounting of traffic flows.
Sounds the same to me.

Of course, the idea back in 2005 with NetFlow was to look at traffic at the perimeter, not traffic inside of your network. That's what's relatively new in MTTK: an acknowledgement of the need for internal network intelligence. No longer can you just look at border crossings; you have to be vigilant even on trusted internal paths. You won't find what you don't look for.

It's a shame that this has become one more thing companies must do to provide reasonable protection to their networks. It's an added cost -- one that takes the courage to admit that they have to plan for the failure of their other security investments. But better to make this investment than to explain how you overlooked a hostile intrusion on your network for four years and 10 months.

Larry Seltzer is the editorial director for BYTE, Dark Reading, and Network Computing. Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+: - @lseltzer @BYTE - Larry Seltzer BYTE - Larry Seltzer on LinkedIn BYTE - Larry Seltzer on Google+ View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...