Catastrophic data breaches are becoming the new norm. Each week, new data breaches surface, making it clear that cyber criminals are getting the upper hand in breaking into networks and stealing assets.
Most of the industry now understands that 100 percent effective preventative security is impossible to achieve. Both Gartner and the FBI agree. In his keynote to the 2015 RSA Conference in San Francisco, Amit Yoran, the president of RSA, loudly proclaimed that, “the security industry has failed.” He noted that, “Beyond this irrational obsession with perimeters, the security profession follows an equally absurd path to detecting these advanced threats.”
A motivated attacker will get into your network. The key is how quickly and accurately you are able to find the active breach. Right now, the industry average is about six months. This is where security has failed. The industry is still trying to use a preventative mindset and tools to highlight a breach. Clearly, finding an active breach requires a different approach.
So what do the odds actually look like for an attacker and a defender before an intrusion and afterwards? Can the odds be changed? The answer may surprise you. In this slideshow, LightCyber takes a closer look at how data breaches happen and what you can do to tip the odds back in your favor.
Catching Data Breaches Sooner
Click through for a closer look at how data breaches happen and what you can do to tip the odds back in your favor, as identified by LightCyber.
With smart, robust security, companies can prevent the vast majority of threats, but not 100 percent of them. The attacker has the advantage because:
- There are unlimited opportunities to conduct an attack.
- There is almost no penalty or cost for making repeated attempts to breach a network.
- The defender must stop all attempts of both opportunistic and targeted attackers; failure to do this even once will result in a breach.
- Unlike an opportunistic attacker, a targeted attacker will find a way in through spear phishing, social engineering, vulnerabilities, web-based malware such as drive-by installation, etc.
Despite your best practices and technology, a targeted attacker will eventually get into your network if there is sufficient motivation for them. According to Gartner, “Determined attackers can get malware into organizations at will.” They continue, “Security organizations must assume they are compromised, and, therefore, invest in detective capabilities that provide continuous monitoring for patterns and behaviors indicative of malicious intent.”
Preventative tools no longer work. Very few organizations have sufficient means to track down an attacker once they have breached a network. Preventative tools such as sandboxing and searching for the “technical artifacts” of known malicious software will not uncover an attacker.
Most targeted data breaches are not discovered for about six months. That’s plenty of time to explore the network and conduct a carefully executed crime. Oftentimes, the discovery is made by a third party, such as the FBI or a credit organization, rather than the victimized company.
However, the active breach can be identified by looking for the right things.
Once an attacker is inside your network, who has the advantage?
The answer depends on the defending organization’s ability to spot an active data breach. Once inside the network, the attacker is blind. This puts them at an inherent disadvantage. They must explore the network to understand topology, find resources and seek new points of control and begin to create favorable conditions to steal assets. These post-breach activities can be spotted with active breach detection that gives the defender the advantage. Ironically, the phase that should be strongly in favor of the defender is often to the attacker’s advantage, if the defender lacks the ability to see real breach activity.
Why are intruders so hard to spot once inside the network?
- Most security infrastructure is built to stop the initial intrusion attempt. Once an attacker has circumvented those systems they are generally incapable of detecting the attacker’s activities.
- Endpoint security alone lacks the larger context of the network to see the full lifecycle of behaviors of an intruder at work across the network.
- Network-only security technology lacks endpoint visibility and therefore is unable to produce high levels of accuracy and actionability related to the specific compromise on the host or user account.
- Sandboxing technologies look for “technical artifacts” of an exploit running in a simulated environment but are not suited to detecting the operational activities of a post-intrusion attack.
- Security information and event management (SIEM) solutions may be able to catch a sign of an intruder at work, but the alert will likely be buried in hundreds or thousands of false-positive warnings.
Gaining the Advantage
How can the defender gain the advantage?
Data breaches can be detected, but generally not with typical endpoint security, sandboxing and various anti-malware solutions and strategies. The key is to look for the operational activities an attacker has to perform. An automated technology like active breach detection can spot these operational activities, especially reconnaissance and lateral movement.