I was not surprised to see a report from Mandiant that said the following -
- 100% of the breaches had updated Anti-Virus software
- 63% of the breaches were reported by third parties
- It took 243 days to detect an attack
It is very clear that existing monitoring capabilities are no match for the changing threat landscape. The traditional technologies lack the sophisticated capabilities and visibility required to detect and protect against such advanced attacks.
So what is the problem ? and what are the options ?
(Image credits: lifeboat.com)
Typically organizations have responded to threats and its changing nature by implementing several point tools like Anti-Viruses, Anti-malwares, Firewall, IPS, URL filters, Application security gateways, DLP solutions and SIEM solutions to detect and prevent security attacks.
Further they have designed processes and detective mechanism like Vulnerability Assessments and application security scanners but still failed to mitigate the sophisticated attacks like Advanced Persistent Threats (APT), especially running in stealth mode, which cannot be detected by point security tools.
What is needed is behavior analysis for anomalies, which means detecting unusual behavioral patterns but to achieve that, one need to baseline what is normal and the same requires huge volume of data and substantial manpower.
Another problem with point tools is that it provides huge amount of monitoring data/logs which is correlated in SIEM giving standalone threat information, but threat indicators should also be integrated and correlated with asset criticality and process related weakness to identify risks holistically so that appropriate resources can be allocated based on priority for mitigation.
SIEM also has a limitation of being good at collecting logs from desperate systems and aid in correlation and compliance, but has limited analytical capability for threat detection, forensic and also unable to query retained collected for performing analysis.
In summary, these are the problems
- APT, frauds and insider attacks are increasing.
- Traditional technologies are failing to detect advanced and persistent attacks
- Monitoring millions of transactions for structured data and identifying attack or fraud pattern is difficult manually and need substantial man power and advanced skills.
- Managing and analyzing huge amount of data from point security tools and relying purely on correlation rules in SIEM to identify threats has failed to protect from advanced attacks. SIEM has limits in querying the retained data for analytics and also unable to handle millions of transaction per second along with its inability to provide business context. Further not all attacks have/leave logs.
- Assessing risks without the visibility of critical assets leads to judgmental and opinionated decisions.
These problems are not easy to solve, but I am presenting my recommendation to increase the chances of detection by integration of data from point tools and using network visibility to identify anomalies.
Implement solution to store big data and analyze data in real time.
Three options can be considered.
Option 1 - Manually configure threat indicators for identifying advanced threats by reverse engineering and using point tools like Firewall alerts, IPS rules, end point IPS, proxy servers, web application firewalls and other security tools
Option 2 - Implement SIEM with big data and analytics from professional vendors in this space
Option 3 - Work with existing SIEM and create a data cave / warehouse to store all data from SIEM and few other point tools like DAM and buy analytics engine to analyze large amount of data using rules. This can be either achieved by third party vendors providing analytics engine over the cloud or by buying professional analytics tools and integrate reporting and alerting in GRC tool
- If you wish to buy a professional tool then judge the real-time big data security analytics tools on their incident detection acceleration AND their ability to improve staff efficiency, reduce false positives, automate manual processes, and supersede point tools.
- Implement or leverage GRC tool to assembles and provide intuitive alerts and the predictability engine predicts the probability of attack.
- Perform an inventory of all critical assets in the GRC tool and assign work flow for notification, escalation, remediation and closure of risks
- Import vulnerabilities to those assets and its criticality
- Map audit and process related weakness to the assets affected
- Map threat feeds for applicability to the assets and its severity
- Import threat intelligence from analytics and apply analytics to the collated data (from various security point tools, vulnerabilities to assets by mapping vulnerability assessment results and from audit application to map audit findings for process weakness) to predict the probability of risk materialization. This way of computing risk is more scientific and supported and all can be easily integrated in a GRC tool