Living on the Defensive

Current detection and malware prevention solutions are not enough. Investigation and network visibility are missing

Whether we want to admit it or not, we as cyber defenders are always one step behind.

When I say “we” are one step behind, I’m referring to those organizations that are equipped with state-of-the-art measures and mature security operations centers (SOCs), otherwise the number of steps behind are far greater.

While cyber defenders work to protect their networks, hackers and more sophisticated nation-state attackers focus on developing plans (including business plans) to make money from enterprise assets. From crime syndicates to teenagers just “fooling around,” there are many levels of cyberattacks, along with an ever-increasing attack surface due to growing connectivity.

I would categorize the world of cyber defenses into three groups:

  • Preventive measures – those we install and expect them to do their job of actively stopping a behavior we deem as “malicious”.
  • Detective measures – those we put in place to detect possible malicious activity, because we know that we cannot prevent everything (aka one step behind)
  • General/base measures – those we must conduct to establish a base on top of which the preventive and detective measures will act, including asset management, code security, awareness and more

What comes first?

In planning, preventive measures would always get the first pick. After preventive, cyber defenders typically install detective. Sometimes we choose detective measures because we are afraid to disrupt the business in any manner. And as we install detection solutions, we are aware that we’ll need to investigate every single alert they generate to determine whether the threats are valid and require mitigation.

The pitfall of these approaches is that we trust these measures and come to rely on them. As the number of alerts to potential malware and other malicious communications grow, we deal with their increasing number by creating thresholds. However, if only a few alerts are generated, does that actually mean they are working well? Similarly, if several of the generated alerts correlate to one specific timeframe or entity, does that necessarily mean that the behavior is malicious?

In fact, dealing with alerts has become our biggest problem. Alerts will typically lead us to minor misconduct (e.g. a compliance issue), while actual “malicious” activity such as malware, seldom generates alerts because the “real attacks” are well designed to bypass preventive measures, leaving us blind until it is too late.

Anomalies: How they expose us

We are now in the era of defensive measures that focus on identifying anomalies.  Unfortunately, if you simply deploy a solution to find out if something abnormal is taking place, you’re going to get thousands of alerts, most of which won’t pick up malware!  Anomalies never stop; they occur constantly.

And here comes the part where we all miss the point of the value of network visibility. Although we know we should be interested in increasing our network visibility, we remain completely blind. We are blind to the areas where we have preventive measures because we trust them to do their job. We are blind in areas where we have detection measures because we sit back and wait for their alerts. Yet we look for more of the same kind of solutions to prevent or detect malware, data exfiltration, phishing, ransomware, etc. while still ignoring network blind spots.

Let’s take perimeter defenses, as an example. The gateway is responsible for protecting us from the “end game” of any attack – electronic exfiltration of our assets. Given this critical role, what do we typically place there? A firewall and Internet gateway (aka proxy) that can generate up to billions of traffic logs, all going to a repository (because who wants to monitor employees surfing on Facebook/Google…).

Although these specific measures also generate thousands of alerts a day, I have never seen a security operation that actually checks these alerts. Since these alerts are generated when something was prevented, then why check them? We are safe! Or are we?

The value of network visibility

So here, I present you with a blind spot, e-gress traffic, one of the most common blind spots in any security operation and yet one of the most important areas to any security operation to have visibility into.

If I had written this a few years ago, it would have been part of my own hunt to gain that visibility. Luckily, today there are a few solutions that step up to the challenge of visibility in security operations. Unfortunately, most organizations prioritize “traditional” tools, and prioritize immediate results over network visibility.

This cloudy intersection in which we try to measure the effectiveness of our security operations, yet only succeed in generating between 80-95% of false-positives, leads us to mistrust any measure that might generate false-positives (or too many alerts that we don’t have the resources to handle).

This is a paradox in which we want to gain visibility to prevent us from missing activities that bypass our defenses without dealing with the volume of alerts generated. Despite this, we are unwilling to invest in a visibility solution because that would point to the need to spend resources to hunt proactively. After all, let’s admit that we try to make security operations as reactive as possible; a perfect example would be the focus on automating SOC responses.

Still one step behind

If we agree on the simple fact that we remain one step behind the attackers, then we must admit that no proxy/firewall can ever be updated enough to block what is unknown to it. If we cannot even manage to check the alerts, what are our chances of actually finding and investigating a suspicious incident that was overlooked? 

After describing the conundrums of today’s security operations centers (SOC), I know that I am interested in a solution that:  

  • Is narrow enough to solve a specific problem (e.g. malware, beaconing, crypto-jacking, data exfiltration)
  • Generates very smart alerts, including the full scope of what’s going on in the cyberattack or malicious communications, and doesn’t just throw an alert on every simple misconduct
  • Allows for unprecedented network visibility into one specific blind spot, making the life of a hunter much easier.
  • Uses technology to present security analysts with the information need to mitigate and remediate suspicious malicious communications within minutes of a breach, and doesn’t require additional manual investigation to acquire that information.

If you would like to discuss these ideas at greater length or see how SecBI allows SOC to investigate suspicious incidents which would traditionally be overlooked by existing solutions, contact us by clicking here.

    Related posts

  • Le SIEM : ce mirage de la Sécurité informatique.

    Le SIEM : ce mirage de la Sécurité informatique.

    Read More
  • Pros and Cons of Unsupervised Vs Supervised Machine Learning

    Pros and Cons of Unsupervised Vs Supervised Machine Learning

    Read More
  • Gambling with Connections

    Gambling with Connections

    Read More