Story image

To thwart attackers, measure what matters

30 Sep 15

For years the security industry has focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness.

But Marc Solomon, Cisco vice president of security marketing, says that only tells part of the story – and there’s a more important measure – time to detection – that needs to gain prominence.

He says while measuring the percentage of blocked attacks still holds true as a way to demonstrate security effectiveness – after all the more threats blocked the fewer to deal with inside the network – it has flaws.

“We must continue to innovate and work diligently to get that number as close to 100% as possible,” Solomon says. “But that’s the catch.”

Solomon says despite increasingly more effective and sophisticated security defences, point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.

He says exploit kits, ransomware and advanced malware are just a few examples of the innovative tactics employed by cybercriminals.

“Angler is one of the exploit kits to watch. It uses multiple attack vectors including Flash, Java, Microsoft Internet Explorer and Silverlight vulnerabilities to get inside the network, as well as innovative techniques like domain shadowing [stealing domain registration logins and creating subdomains which it then rotates to hide the IP address of the server] to stay below the radar,” Solomon says.

Ransomware too, has become highly lucrative for hackers, Solomon notes, with operations maturing to the point that they are completely automated through the Tor anonymous web network, and use encryption to evade detection. Cryptocurrencies help conceal payment transactions.

Solomon cites the quickly mutating Dridex campaign as demonstrating a sophisticated understanding of how to evade security measures.

“By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments or referrers,” Solomon says. “They launch the campaign again, forcing traditional antivirus systems to detect them anew.”

He says the innovation race between attackers and security vendors will continue, but the dynamic creates a problem for organisations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel.

“They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not, and cannot, work together,” Solomon says.

“History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks.

“To get a more realistic measurement of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more, important: time to detection.”

Time to detection is the window of time between the first observation of a file and the detection that it is a threat, and Solomon says the gap exists because of the tactics cybercriminals use to slip through defences as ‘unknown’ and later exhibit behaviours that are malicious.

“Based on various reports, the current industry standard for time to detection is 200 days,” Solomon says. “That’s far too long.

“By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.”

Solomon says to catch these types of threats, retrospective capabilities must become part of our defences.

“These include the ability to identify malware that has already penetrated the network, see the file’s trajectory across the enterprise, quarantine affected devices and remediate,” he says.

“Retrospective security can only happen with an integrated threat defence that allows multiple security technologies to work together, sharing information to combat multifaceted attacks.

“An integrated threat defence not only accelerates time to detection and response, but also enhances our front line defences, updating policies as we uncover threats inside the network to eliminate the risk or reinfection.”

Says Solomon: “Stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.”

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.