Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/14/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Assuring Business Continuity by Reducing Malware Dwell Time

Here's how CISOs and IT security operations teams can best address key challenges to network monitoring that could increase malware dwell time.

Malware attacks cost US companies $2.6 million per company on average — and that amount is increasing, according to a 2019 report from Accenture Security and the Ponemon Institute. Part of the reason for this increase is the growing number of network blind spots: CISOs and security teams can't see into certain portions of the network, so if malware manages to get past perimeter defenses, it can sit, undetected, and wreak havoc. These blind spots are exacerbated by a hybrid network model; as applications move to a public cloud or companies roll out virtualization, the network gets more complex, visibility gets limited, and security monitoring becomes more difficult. 

Fortunately, recent reports show this issue appears to be improving, with organizations managing to steadily decrease malware dwell time. The "2020 Data Breach Investigations Report" (DBIR) from Verizon found that over 60% of data breaches were discovered in days or less. That's an encouraging improvement from past years, but over a quarter of breaches still take months or more to be detected, so there is still more work to be done.

Related Content:

8 Reasons Perimeter Security Alone Won't Protect Your Crown Jewels

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: RASP 101: Staying Safe With Runtime Application Self-Protection

Yet at the same time, digital transformation projects and cloud-first or cloud-smart paradigms are proliferating, both of which complicate monitoring and visibility. If the security team doesn't keep up with the network's growing complexity, they risk losing recent gains.

Here's how CISOs and IT security operations teams can best address some of the key challenges to network monitoring that threaten to increase malware dwell time.

1. Visibility into east-west traffic
East-west traffic (that is, within a data center) has increased over the last several years as applications have become multitier and more compute-intensive, networks have become more virtualized to support more virtual machines, and the number of transactions and exchanges in an east-west direction has increased. This is happening across many sectors, including financial services, service providers, and retail. The shift is making monitoring more difficult — where do you tap the network without physical connections and devices?

But getting access to this traffic is essential because it lets security tools detect unusual network behavior that can indicate a security breach. Access to east-west traffic reveals which IP addresses are talking to one another, when these connections take place, etc. This information lets analysts or behavioral-based security tools raise alerts to investigate and remediate unusual network events (either automatically or manually). For example, an unusual database access by an application or a large FTP download at 2 a.m. is an event that should be investigated. As businesses go virtual and cloud-first, having full access to all network traffic, including traffic within the data center, is vital to keeping them secure. 

2. Ability to capture and store network data for forensics
Having access to detailed packet and flow data from before, during, and after a security breach is necessary for security analysts to accurately determine the extent of the breach, analyze the damage, and figure out how to prevent it going forward. Capturing and storing a bank of network data for this purpose will usually require gathering network metadata and packet data from physical, virtual, and cloud-native elements of the network deployed across the data center, branch offices, and multicloud environments. Obtaining this insight requires a mix of physical and virtual network probes, packet brokers, and capture devices to gather and consolidate data from the various corners of the network to process and deliver it to the security tool stack. It's equally important that teams can capture and store packet data from before, during, and after an indicator of compromise for later forensic analysis. The easier it is to access, index, and make sense out of this data, the more value it will provide.

While it's more complex and difficult to obtain this information from cloud-based or virtual segments of the network, it's essential for keeping organizations secure. The 2020 Verizon DBIR found that attacks targeting web applications were involved in 43% of breaches, more than double what they were in 2019. As more workflows move to the cloud, the attacks will follow — so monitoring and defenses need to do the same. 

3. Reworking security policies for remote workers
Many knowledge workers are still working from home thanks to COVID-19, and this has significantly changed the security posture for most organizations. In the past, IT and security teams could base security policies on the assumption that most users access resources via the corporate network while on-site, with a small number accessing it remotely. Now that's flipped — most users are accessing applications in the cloud or in the data center via the public Internet. Companies have reacted by loosening security restrictions to better accommodate the groundswell of remote access. That softens perimeter security, thereby increasing the need to quickly spot and mitigate any malware that might sneak through.

4. Getting visibility into the public cloud
Many organizations have moved applications to the public cloud to take advantage of their scalability and flexibility, but there can be a cost in lack of visibility. Until recently, major public cloud platforms were black boxes; it was possible to see traffic into and out of the cloud, but little of what happened inside. Without this access to the network traffic within AWS, Google Cloud, or Azure, IT teams couldn't monitor for signs of a breach. Fortunately, that's changing, with some major cloud providers adding features that mirror network traffic to and from a client's applications. Then a virtual packet broker can be used to forward that traffic to cloud-native security monitoring tools. A feed can be directed to virtual packet capture device as well for archiving the packet data to cloud storage for compliance and forensics.

In summary, detecting and reducing malware dwell time in a hybrid environment requires access to full network traffic for all segments of the network — whether that is on-premises, within the data center, within the public cloud, or for remote worker access. IT infrastructure and operations leadership should put network traffic intelligence on their list and set aside a portion of their security budget for proper network instrumentation.

Brendan O'Flaherty serves as Chief Executive Officer of cPacket Networks and has over 20 years of executive and leadership experience. Prior to joining cPacket, Brendan was President and Chief Operating Officer at Massana Semiconductor, where he led a successful acquisition ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-21269
PUBLISHED: 2020-10-27
checkpath in OpenRC through 0.42.1 might allow local users to take ownership of arbitrary files because a non-terminal path component can be a symlink.
CVE-2020-27743
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
CVE-2020-1915
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
CVE-2020-26878
PUBLISHED: 2020-10-26
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
CVE-2020-26879
PUBLISHED: 2020-10-26
Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.