Cyber Security Using Dark Ages Methods Must Be Moved Away From Confirms RSA President – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften Technologies

A 5 Point Plan For A New Security Approach Proposed By Amit Yoran

Amit Yoran’s, RSA President provided an excellent keynote speech at the RSA Conference which reinforced the Ziften strategy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to provide robust defenses in a brand-new era of advanced cyber attacks. Present organization security strategy was slammed as being bogged down in the Dark Ages of cyber moats and castle walls by Yoran, it was described as an “impressive fail”, and he outlined his vision for the future with 5 main points, and commentary from Ziften’s point of view has been included.

Stop Believing That Even Advanced Protections Are Sufficient

” No matter how high or smart the walls, focused adversaries will discover methods over, under, around, and through.”

A lot of the previous, more advanced attacks did not utilize malware as the main method. Conventional endpoint anti-viruses, firewalls and conventional IPS were slammed by Yoran as examples of the Dark Ages. He stated that these legacy defenses could be easily scaled by skilled hackers and that they were largely inadequate. A signature based anti-virus system can only safeguard against formerly seen hazards, but unseen dangers are the most threatening to an organization (given that they are the most typical targeted attacks). Targeted cyber lawbreakers utilize malware only 50% of the time, maybe just quickly, at the start of the attack. The attack artifacts are easily changed and not utilized ever again in targeted attacks. The build-up of transient indicators of compromise and malware signatures in the billions in large anti-viruses signature databases is a pointless defensive approach.

Adopt a Deep and Prevalent Level of True Visibility Everywhere – from the Endpoint to the Cloud

“We require pervasive and true visibility into our business environments. You just can’t do security today without the visibility of both continuous complete packet capture and endpoint compromise evaluation visibility.”

This means continuous endpoint monitoring across the enterprise endpoint population for generic indicators of compromise (not stale attack artifacts) that reflect classic methods, not short lived hex string happenstance. And any company executing consistent full packet capture (comparatively costly) can easily pay for endpoint threat assessment visibility (relatively economical). The logging and auditing of endpoint process activity supplies a wealth of security insight using just primary analytics techniques. A targeted hacker relies on the relative opacity of endpoint user and system activity to mask and hide any attacks – while true visibility provides an intense light.

Identity and Authentication Matter More than Ever

” In a world with no perimeter and with less security anchor points, identity and authentication matter even more … At some point in [any effective attack] campaign, the abuse of identity is a stepping stone the aggressors utilize to enforce their will.”

The use of stronger authentication fine, but it just makes for bigger walls that are still not impenetrable. What the hacker does when they overcome the wall is the most essential thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for indications of unusual user activity (insider attack or possible jeopardized credentials). Any activity that is observed that is different from normal patterns is possibly suspicious. One departure from normality does not make a case, but security analytics that triangulates several normality departures concentrates security attention on the highest risk abnormalities for triage.

External Risk Intelligence Is A Core Capability

” There are incredible sources for the best risk intelligence … [which] need to be machine-readable and automated for increased speed and leverage. It needs to be operationalized into your security program and tailored to your company’s assets and interests so that analysts can quickly deal with the threats that posture the most risk.”

Many targeted attacks normally do not utilize readily signatured artifacts again or recycle network addresses and C2 domains, but there is still worth in risk intelligence feeds that aggregate timely discoveries from millions of endpoint and network threat sensors. Here at Ziften we integrate third party risk feeds by means of the Ziften Knowledge Cloud, plus the direct exposure of Ziften discoveries into SIEM and other enterprise security and operations infrastructure via our Open Visibility ™ architecture. With the evolving of more machine-readable risk intelligence (MRTI) feeds, this capability will successfully grow.

Understand What Matters Most To Your Business And Exactly what Is Mission Critical

” You need to comprehend exactly what matters to your organization and what is mission critical. You have to … protect exactly what’s important and protect it with everything you have.”

This holds true for threat driven analytics and instrumentation that focuses security attention and effort on areas of highest business threat exposure. Yoran advocates that asset value prioritization is only one side of business risk analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security staff attention on the most common dynamic risks (for instance by filtering, associating and scoring SIEM alert streams for security triage) need to be well-grounded in all sides of business threat analysis.

At Ziften we applaud Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security market evolves beyond the present Dark Ages of facile targeted attacks and established exploitations.