Story image

To thwart attackers, measure what matters

30 Sep 15

For years the security industry has focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness.

But Marc Solomon, Cisco vice president of security marketing, says that only tells part of the story – and there’s a more important measure – time to detection – that needs to gain prominence.

He says while measuring the percentage of blocked attacks still holds true as a way to demonstrate security effectiveness – after all the more threats blocked the fewer to deal with inside the network – it has flaws.

“We must continue to innovate and work diligently to get that number as close to 100% as possible,” Solomon says. “But that’s the catch.”

Solomon says despite increasingly more effective and sophisticated security defences, point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.

He says exploit kits, ransomware and advanced malware are just a few examples of the innovative tactics employed by cybercriminals.

“Angler is one of the exploit kits to watch. It uses multiple attack vectors including Flash, Java, Microsoft Internet Explorer and Silverlight vulnerabilities to get inside the network, as well as innovative techniques like domain shadowing [stealing domain registration logins and creating subdomains which it then rotates to hide the IP address of the server] to stay below the radar,” Solomon says.

Ransomware too, has become highly lucrative for hackers, Solomon notes, with operations maturing to the point that they are completely automated through the Tor anonymous web network, and use encryption to evade detection. Cryptocurrencies help conceal payment transactions.

Solomon cites the quickly mutating Dridex campaign as demonstrating a sophisticated understanding of how to evade security measures.

“By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments or referrers,” Solomon says. “They launch the campaign again, forcing traditional antivirus systems to detect them anew.”

He says the innovation race between attackers and security vendors will continue, but the dynamic creates a problem for organisations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel.

“They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not, and cannot, work together,” Solomon says.

“History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks.

“To get a more realistic measurement of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more, important: time to detection.”

Time to detection is the window of time between the first observation of a file and the detection that it is a threat, and Solomon says the gap exists because of the tactics cybercriminals use to slip through defences as ‘unknown’ and later exhibit behaviours that are malicious.

“Based on various reports, the current industry standard for time to detection is 200 days,” Solomon says. “That’s far too long.

“By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.”

Solomon says to catch these types of threats, retrospective capabilities must become part of our defences.

“These include the ability to identify malware that has already penetrated the network, see the file’s trajectory across the enterprise, quarantine affected devices and remediate,” he says.

“Retrospective security can only happen with an integrated threat defence that allows multiple security technologies to work together, sharing information to combat multifaceted attacks.

“An integrated threat defence not only accelerates time to detection and response, but also enhances our front line defences, updating policies as we uncover threats inside the network to eliminate the risk or reinfection.”

Says Solomon: “Stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.”

ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Kiwis concerned about being scammed – survey
This unease is warranted given the growing sophistication of scammers and their activities, and numbers of attempted fraud.
It's time to rethink your back-up and recovery strategy
"It is becoming apparent that legacy approaches to backup and recovery may no longer be sufficient for most organisations."
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.
Interview: Aruba’s NZ country manager talks channel strategy
“What we're taking to market is that message around simplification and having everything in one place.”
Companies swamped by critical vulnerabilities – Tenable
Research has found enterprises identify 870 unique vulnerabilities on internal systems every day, on average, with over 100 of them being critical.