“Some people think the well is only as deep as the water is clear”.
Over the past decade, security organizations, along with deploying preventive technologies such as anti-virus and firewalls, have focused on capturing security logs and events to get insight into what is going on that could affect security. They turned on logging on devices and systems, deployed centralized log management technologies and gathered logs assuming that had cleaned their water giving them clear sight to the bottom of the well. This has been a key part of getting a handle on threat activity and is an essential part of security management. However, in some respects it has also created another cloudy well full of bits and bytes that can present an even murkier picture. While having more data on what is going on can increase the possibility of detecting a security threat, the probability of actually detecting the threat most often is not any better and most likely worse. Obviously you need that data to capture any nefarious happenings. How that data is captured and analyzed has a big impact on the level of probability of successfully identifying an active security threat. However more data does not necessarily make for a clearer picture.
At DefCon 21, I saw presentations on several attack vectors that pose significant problems. An attack today can include:
- Deep social reconnaissance through social media outlets (LinkedIn, Facebook, etc) combined with very targeted social engineering;
- Malware and exploits that change constantly evading signature based protection; and
- Communication with Command and Control (C2C) servers through channels such as Twitter and blog posts.
If you go down the laundry list of controls necessary to prevent this type of attack (a security savvy user, security awareness training, content filtering, anti-virus, patching, network filters, firewalls, etc.), the probability that one of those links in the chain are weak is pretty high. So Visibility into what is going on in the network is critical to put pieces together once that weak link snaps. There are two areas of Visibility that need to be addressed here:
Visibility into your existing security data must be improved. Those bits and bytes in your security event well need to be cleansed as much as possible. Installing a filter before pumping in that data into your well can definitely help improve the clarity but for security purposes, we need more and more data. So the first tenet of improving visibility is organizing the existing data and cleaning it up. The answer is not only gathering the right data but having an intelligent bucket to drop into that well to pull up specific bits and bytes when the need arises.
Visibility into the empty space between security technologies must be addressed. Whether you admit it or not, there are gaps between the technologies in your security infrastructure. Firewalls, IDS, anti-virus and all of the other technical controls are present to defend against known attack vectors and may be getting better at agile defense. However, there is always a gap in between technologies such as the zero day exploit that bypasses your signature based anti-virus or the seemingly normal email from an internal account to a business partner.
We see evidence of these murky waters across the industry. Many security breaches are not identified until weeks after compromise. In many cases, companies are being notified by an external party (law enforcement, customer, partner, etc.) of the breach. The fact that companies are being compromised to this extent and that this is evident to OUTSIDE parties and not identified by internal teams, is disconcerting. The ability to sift through these murky waters is a key to closing the gap between today’s security risks and tomorrow’s security organization. RSA’s portfolio of products is a good example of technologies that we see as necessary to sift for that clean data for security operations and fill those gaps. RSA Security Analytics is that intelligent data collector into which one can stream the bits and bytes to find the possible active threats. RSA ECAT’s ability to detect and respond to advanced malware helps fill a similar gap in the end-point.
At both BlackHat and DefCon, I saw examples of blended attacks – combining complex technical exploits with tried and true social engineering – that will foil most all preventive security systems. Note I said “will” – not “might”. The only true defense to these attack vectors is a blend of preventive (try to educate the user against social attack and/or block the technical exploit), detective (identify the execution of the attack) or corrective (quarantine and contain). Managing security in some respects is all about intelligence – intel on the threats, intel on your own vulnerabilities, intel on the threat landscape , the more intel the better. While you can build higher and higher walls around your fortress, you still need to know the capabilities, nature and intentions of your foes. Higher walls do not protect against an adversary who likes to tunnel through the ground. Continual improvement of the visibility of your own inadequacies and your adversaries’ strengths has been a tenet of proper strategy since Sun Tzu was a toddler.