To thwart attackers, measure what matters
For years the security industry has focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness.
But Marc Solomon, Cisco vice president of security marketing, says that only tells part of the story – and there’s a more important measure – time to detection – that needs to gain prominence.
He says while measuring the percentage of blocked attacks still holds true as a way to demonstrate security effectiveness – after all the more threats blocked the fewer to deal with inside the network – it has flaws.
“We must continue to innovate and work diligently to get that number as close to 100% as possible,” Solomon says. “But that’s the catch.”
Solomon says despite increasingly more effective and sophisticated security defences, point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.
He says exploit kits, ransomware and advanced malware are just a few examples of the innovative tactics employed by cybercriminals.
“Angler is one of the exploit kits to watch. It uses multiple attack vectors including Flash, Java, Microsoft Internet Explorer and Silverlight vulnerabilities to get inside the network, as well as innovative techniques like domain shadowing [stealing domain registration logins and creating subdomains which it then rotates to hide the IP address of the server] to stay below the radar,” Solomon says.
Ransomware too, has become highly lucrative for hackers, Solomon notes, with operations maturing to the point that they are completely automated through the Tor anonymous web network, and use encryption to evade detection. Cryptocurrencies help conceal payment transactions.
Solomon cites the quickly mutating Dridex campaign as demonstrating a sophisticated understanding of how to evade security measures.
“By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments or referrers,” Solomon says. “They launch the campaign again, forcing traditional antivirus systems to detect them anew.”
He says the innovation race between attackers and security vendors will continue, but the dynamic creates a problem for organisations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel.
“They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not, and cannot, work together,” Solomon says.
“History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks.
“To get a more realistic measurement of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more, important: time to detection.”
Time to detection is the window of time between the first observation of a file and the detection that it is a threat, and Solomon says the gap exists because of the tactics cybercriminals use to slip through defences as ‘unknown’ and later exhibit behaviours that are malicious.
“Based on various reports, the current industry standard for time to detection is 200 days,” Solomon says. “That’s far too long.
“By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.”
Solomon says to catch these types of threats, retrospective capabilities must become part of our defences.
“These include the ability to identify malware that has already penetrated the network, see the file’s trajectory across the enterprise, quarantine affected devices and remediate,” he says.
“Retrospective security can only happen with an integrated threat defence that allows multiple security technologies to work together, sharing information to combat multifaceted attacks.
“An integrated threat defence not only accelerates time to detection and response, but also enhances our front line defences, updating policies as we uncover threats inside the network to eliminate the risk or reinfection.”
Says Solomon: “Stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.”