Attacks and defences adapt and evolve in a continuing dance. As a new technique is developed, its effectiveness increases rapidly until it is ready for deployment. Once deployed, broad exposure to real-world scenarios, feedback to the development team, and inclusion in other defences further improves its effectiveness. The enhancement continues until it reaches a level of effectiveness that prompts adversaries to respond. At this stage, attackers experiment and discover ways to evade this type of defence and develop countermeasures to reduce its value. The security industry’s challenge is to improve the lifecycle of threat defence effectiveness, something that requires foundational research, new classes of products, heavy development time and effort, and a sustained focus, often by multiple industry participants working together, writes Raj Samani, Chief Technology Officer, EMEA, Intel Security.
Reduce asymmetry of information
Adversaries have more information about our defences than we have about their attacks, and this asymmetry significantly influences the threat defence effectiveness curve. Preventing attackers from testing against us is very difficult and possibly unsolvable. However, sharing information about attacks more broadly is one of the critical initial steps that we can take to address this asymmetry. When we share and combine information about attacks, we better understand what the attackers are doing to find weaknesses in our algorithms. That allows us to more quickly adapt and improve defences.
Make attacks more expensive or less profitable
Money is the primary motivation of most cyberattacks. If we can change the economics of the attack process, reduce the success rate of attacks, and make capture more likely, then we can make targets less interesting. Analysing law enforcement data, we find that investigation and prosecution of cybercrime is inversely related to the severity of the crime. With physical crimes, prosecution is oriented toward the most serious crimes. With cybercrime, high-level attacks are more difficult to investigate and prosecute because they often cross multiple jurisdictions, and often more skills and resources are required to help them evade detection and prosecution. One potential response to this is to deceive attackers and increase their time spent on a given attack, making them easier to trace, identify, capture, and prosecute.
Improve visibility
Security operations within companies and security vendors are shifting their focus from IT assets to data assets and from “pseudo-absolute” defensive coverage to informed risk management. We have tools that can identify and classify data, monitor its usage, apply appropriate policies, or block movement if necessary. With these tools, organisations can more effectively quantify their risk profile, identify critical gaps, and appropriately focus resources. Good organisations compare basic statistics to the previous month, much like accounting. Better organisations work to build regional, national, and industry benchmarks for comparison, like investors. However, many common security metrics are not very actionable. There is much more to be done to be able to act, in near real time, on threatening activities seen in the protected environment.
Identify exploitation of legitimacy
Telling the difference between when a legitimate tool is used for a legitimate purpose versus a suspicious activity is very difficult. The only approach we have now is behavioural analytics, which is in its cybersecurity infancy. It is a good start, but we also need to move toward a model that conducts legitimacy tests for every transaction, not just for files and credentials. We need to analyse actions and data movement and try to determine intent, whether from an external actor or an unauthorised insider. This step requires knowing a lot more about the context of the activity.
One controversial possibility is the development of user reputation and predictive analytics. The concept is to assess the probability of a given account being breached, stolen, or used for unauthorised insider activity. By collecting user behaviour in context, from the tendency to reuse passwords on different systems to the job description and typical working hours, we can compare each action to a set of expected legitimate activities and flag those that are outside a given level of risk. This is a sensitive area. We will have significant privacy, ethics, and legal issues to address before this technique enters the mainstream.
Protect decentralised data
Data is moving around outside of the corporate perimeter, making it much more vulnerable to unintentional leaks and targeted attacks. It is moving to clouds and personal devices, as well as to partners, suppliers, and customers. Less than 20% of an organisation’s data ever moves in this extended ecosystem, yet 70% of data loss is connected to this movement. Today some try to protect this type of data movement by encrypting it and sending decryption keys in a separate email, passing on the responsibility for protection to the next person in the chain. This results in a very small sphere of trust. We need to figure out how to extend the sphere of trust while maintaining better control.
Data classification and loss prevention systems represent early efforts to manage and extend the sphere of trust for decentralised data. Security that moves with the data, enabling persistent policy enforcement, is the next step. We need to be able to protect data during its next use, similar to digital rights management mechanisms.
Detect and protect without agents
So much of our history and strength in security is based on having an agent running on the device we are protecting. However with the onset of technologies like IoT, the future of cybersecurity, and the solution to most of these big, hard-to-solve problems must take place in an agentless security world.
The evolution to agentless security is already underway, with early solutions attacking the problem from multiple directions. Chip designers are enhancing hardware-level security, memory protection, and trusted execution environments. Behavioural analytics products watch from the outside, ready to quarantine and investigate devices that are doing something suspicious or anomalous. Processing and analysis still has to happen somewhere, but we will increasingly leverage flexible computing resources instead of dedicated agents. Distributed enforcement points are already emerging that will spread enforcement throughout a network of devices, with multiple points communicating and collaborating in real time about their detection and protection actions.
In summary, increasing our threat defence effectiveness throughout the security industry will be key to staying ahead of the adversaries. It is critical that multiple industry participants work together to solve big-picture problems that cannot be addressed by simple patches or software updates. We need to share information more broadly among industry leaders to not only give us greater volume and detail in telemetry, but also aid in deception techniques. By increasing our use of predictive analytics, improving security visibility with both organisational assets and decentralised data, and reducing our use of dedicated agents, we can better protect, detect and correct cyber-attacks and increase our effectiveness in the threat defence lifecycle.