Attackers today use multiple techniques to penetrate an organisations’ infrastructure and compromise their vital data assets or systems. In the opinion of Raj Samani, VP and CTO at Intel Security EMEA, this problem has only been exasperated with the proliferation of the cloud and IoT and today’s targeted multiphase attacks consist of a series of steps that make up the cyberattack chain: reconnaissance, scanning for vulnerabilities, exploitation, and, finally, exfiltration of valuable corporate data.
As attacks grow in complexity, precision, and volume, yesterday’s approach to Threat Intelligence (TI) is no longer adequate. Investigating targeted attacks is no easy task. The dynamic behaviour of the attackers, the greater variety and availability of local and global threat intelligence sources, and the diversity of TI data formats can make the aggregation and digestion of threat intelligence into security operations centre (SOC) tools more challenging than ever before.
A mixed-vendor environment, which is typical of most enterprises, adds to the difficulty of sharing event data and promoting event visibility throughout the organisation. As Gartner points out in its report, Technology Overview for Threat Intelligence Platforms, “An organisation’s inability to share TI is an advantage to cyber threat actors. TI sharing is a force multiplier and is becoming a key element in keeping up with the increasing number of threat actors and the attacks they use”.
The case against point solutions
Sharing threat intelligence alone will not necessarily result in sustainable corrective action and prevention. Security analysts can quickly become overwhelmed with too much information. Most security teams are engaged in an exhausting manual process of analysing millions of security events and suspicious files in an effort to piece together a mountain of data and try to reconstruct the targeted attack. Ultimately, this impairs the thoroughness and speed of the response process. With a less-than-complete comprehension of threats, security teams are struggling to contain attacks in a timely manner.
These challenges result from insufficient integration between inspection, intelligence gathering, analytics, and enforcement elements of the security architecture. Silos of data and point controls complicate operations and increase risk. For example, the data each control generates and the context of each situation are poorly captured and seldom shared. A firewall may block a payload coming from an untrusted domain because it knows about communications, not malware. It will permit that payload coming through a trusted domain. Similarly, anti-malware could block unknown payloads received from known bad addresses if it knows to think beyond the payload or look within the payload to consider IP addresses.
Unintegrated security functions like these keep organisations in a firefighting mode, always reacting and pouring human resources into each breach. Process inefficiency exhausts scarce investigative resources and lengthens the timeline in which data and networks are exposed to determined attackers. These islands of security products, data sets, and operations give sophisticated attackers ample space and white noise in which to enter, hide, and persist within the targeted organisation.
An integrated approach to the threat defence lifecycle
Integration improves effectiveness, as active sharing of data and accelerated cross-control processes make it practical and possible for every security control to leverage the strengths and experiences of the others around it. It is an adaptive threat prevention model that is quickly replacing traditional, unintegrated architectures as security teams work to achieve sustainable advantage against complex threats.
Rather than treating each malware interaction as a stand-alone event, an adaptive threat prevention model integrates processes and data through an efficient messaging layer. This provides reinforced levels of inspection and analysis informed by expanded forms of intelligence and connects end-to-end components to generate and consume as much actionable intelligence as possible from each contact and process.
Protect, detect, correct
The shift to adaptive threat prevention helps overcome the all-too-common functional fences that shackle detection, response, and any chance of improved prevention. This transformation requires IT teams to adopt a protect-detect-correct approach. Protection involves enabling users to be more productive while blocking the most pervasive attacks and disrupting never before seen techniques and payloads. Detection requires the gathering of both local and global security intelligence, integrating an array of behavioural and contextual analytics, and leveraging centralised management for better insight, more effective threat identification and faster investigation of events. Finally, correction should streamline the threat defence lifecycle by facilitating triage, investigation, and remediation, all while learning from security incidents and continually evolving, providing the organisation better protection going forward.
By unifying protection, detection and correction with real-time centralised management into an adaptive feedback loop, known as the threat defence lifecycle, security then evolves and learns in an iterative cycle that improves over time. This model helps organisations become more effective at blocking threats, identifying compromises, and implementing remediation as well as countermeasure improvements more quickly.