Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften Technologies
A 5 Point Plan For A New Security Strategy Proposed By Amit Yoran
Amit Yoran’s, RSA President provided an outstanding keynote speech at the RSA Conference which reinforced the Ziften philosophy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to supply robust defenses in a brand-new age of sophisticated cyber attacks. Current organization security methods were slammed as being stuck in the Dark Ages of cyber moats and castle walls by Yoran, it was referred to as an “impressive fail”, and he described his vision for the future with five main points, and commentary from Ziften’s viewpoint has actually been added.
Stop Believing That Even Advanced Protections Suffice
” No matter how high or smart the walls, focused foes will discover methods over, under, around, and through.”
A great deal of the previous, more sophisticated attacks did not use malware as the primary method. Standard endpoint anti-viruses, firewall programs and conventional IPS were criticized by Yoran as examples of the Dark Ages. He stated that these traditional defenses could be quickly scaled by skilled hackers and that they were mainly inefficient. A signature based antivirus system can only protect against formerly seen hazards, however unseen hazards are the most threatening to an organization (considering that they are the most typical targeted attacks). Targeted cyber bad guys use malware only 50% of the time, possibly just quickly, at the start of the attack. The attack artifacts are easily altered and not utilized ever again in targeted campaigns. The accumulation of transient indicators of compromise and malware signatures in the billions in huge antivirus signature databases is a pointless defensive technique.
Embrace a Deep and Pervasive Level of Real Visibility Everywhere – from the Endpoint to the Cloud
“We need pervasive and true visibility into our enterprise environments. You merely can’t do security today without the visibility of both continuous complete packet capture and endpoint compromise assessment visibility.”
This suggests continuous endpoint monitoring across the business endpoint population for generic indicators of compromise (not stale attack artifacts) that reflect timeless strategies, not short lived hex string happenstance. And any organization executing constant complete packet capture (relatively costly) can easily pay for endpoint threat evaluation visibility (comparatively inexpensive). The logging and auditing of endpoint process activity supplies a wealth of security insight using only primary analytics approaches. A targeted hacker relies on the relative opacity of endpoint user and system activity to mask and hide any attacks – while real visibility offers an intense light.
Identity and Authentication Matter More than Ever
” In a world without any boundary and with fewer security anchor points, identity and authentication matter even more … At some time in [any effective attack] campaign, the abuse of identity is a stepping stone the attackers utilize to impose their will.”
The use of stronger authentication is good, however it just produces bigger walls that are still not impenetrable. Exactly what the hacker does when they overcome the wall is the most important thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for indications of abnormal user activity (insider attack or prospective jeopardized credentials). Any activity that is observed that is different from typical patterns is possibly suspicious. One departure from normality does not make a case, but security analytics that triangulates several normality departures focuses security attention on the greatest risk anomalies for triage.
External Risk Intelligence Is A Core Capability
” There are extraordinary sources for the right risk intelligence … [which] should be machine-readable and automated for increased speed and leverage. It ought to be operationalized into your security program and customized to your organization’s assets and interests so that analysts can rapidly attend to the threats that posture the most risk.”
Many targeted attacks normally do not utilize readily signatured artifacts again or recycle network addresses and C2 domains, but there is still worth in threat intelligence feeds that aggregate prompt discoveries from countless endpoint and network threat sensors. Here at Ziften we integrate 3rd party risk feeds by means of the Ziften Knowledge Cloud, plus the exposure of Ziften discoveries into SIEM and other enterprise security and operations infrastructure via our Open Visibility ™ architecture. With the evolving of more machine-readable threat intelligence (MRTI) feeds, this ability will successfully grow.
Understand Exactly what Matters Most To Your Organization And What Is Mission Critical
” You need to understand what matters to your company and exactly what is mission critical. You need to … protect what’s important and defend it with everything you have.”
This is the case for threat driven analytics and instrumentation that focuses security attention and effort on areas of greatest enterprise threat exposure. Yoran promotes that asset worth prioritization is only one side of enterprise threat analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security personnel attention on the most prominent dynamic threats (for instance by filtering, associating and scoring SIEM alert streams for security triage) need to be well-grounded in all sides of enterprise threat analysis.
At Ziften we applaud Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security industry progresses beyond the current Dark Ages of facile targeted attacks and entrenched exploitations.