5 Tips to transform your current security operations

Auteur: Sergio Hernando28 januari 2013

Attack after attack we learn new things. One of the lessons learned that we always find is that attack sophistication is increasing, and there is a reason for that: sophistication enables attackers to evade security schemas and to remain undetected for long periods of time, which makes them successful. Success could be a matter of leaking confidential information, have access to financial resources or even be able to perpetrate sabotage actions. There are many attacker profiles, and many objectives are being pursued at their side.

One of the examples that we can introduce is the so called "Operation Red October", which revealed a large scale cyber espionage network using very sophisticated techniques. As recently reported by the Kaspersky Lab. It is believed that this network has been active for at least 5 years, having diplomatic and government institutions worldwide as main target. Research institutions, energy research, oil and gas companies, aerospace and military have apparently also been targeted.

We could highlight some factors that make this network quite unique: intensive information harvesting, a takeover resilient and proxy chained command and control infrastructure that effectively hides the true source where the operation was being carried out, a multi-functional framework with the ability to target not only workstations, but also mobile devices, network equipment, e-mail databases … there are many advanced capabilities in "Red October" that clearly indicate that this is a very sophisticated and organized attack, presumably carried out by very experienced and organized actors.

But that is just an example of the many we can collect from the daily headlines. However, I am always worried about the ongoing cases that no one knows about and that will hit the headlines in months or years, or those incidents that may not even hit the news as they will never be discovered. Given this challenging scenario we need to assume that we are in a permanent state of compromise. While reading this article, your company could be actually suffering a security incident that may bring some trouble to your business operations, reputation or ability to recover. Or perhaps you were breached 6 months ago, and now the attackers have left after gathering all the information they wanted, making sure that you won't notice they were, for some time, at the heart of your business.

When a client asks me "and what can I do about this" I need to be frank and honest: we can help them but this won't guarantee that they will never be breached. Because it's naïve to think that we can be ready and resilient for all potential compromise scenarios, and that includes not only organized crime, but also state actors, hacktivists and even amateurish ecrime. It's hard enough to be ready for known threats, imagine how hard it turns to be ready to deal with threats you don't even know or you can't quantify. But this is not a lost battle at all, we can improve the way we run our security, with the expectation of limiting as much as possible potential collaterals and damage emerging from a security incident.

Perhaps a good way to start this journey is to put on top of the table a new way of thinking. Dealing with cyber risk is a multifaceted exercise but it always needs to start with a change in the paradigm. Threats have evolved, so have the attackers and the technology we are using to enable our businesses. Therefore, security also needs to change to be able to accommodate the changes we have seen, and more importantly, to be agile enough to be able to accommodate the never ending lists of new scenarios and risks. Don't get me wrong, this is not a question to start from the scratch: It is good to invest in prevention, as this will help dealing with threats we can quantify -we are not always going to be attacked by nation state actors or top-notch professional ecrime, less knowledgeable actors may target us too and they are likely to try less sophisticated methods we can easily detect and respond to. But we need to be ready to deal with the unknown and more sophisticated, and be able to react whenever we find out we have been compromised. On a permanent basis.

There is no magic recipe on how to articulate this. As with any other security discipline, security operations needs 3 dimensions to be covered: people, processes and technology, and all need to be present in our approaches. Cyber risk is not something we can tackle with just by issuing policies, buying IDS or hiring security professionals. An in depth transformation needs to happen, and the way to move ahead is unique to every organization: different business risks and tolerances, threat profiles, existing gaps, technologies or awareness levels require different approaches.

Bearing in mind the complexities I'd like to share with you 5 ideas that may help you transforming your security operations in this journey:

  1. The most effective way to remain silent and unnoticed, as an attacker, is to be able to simulate normal behavior. If an attacker is able to mimic business traffic, it is going to be almost impossible to determine an ongoing attack, or to capture the early indicators of an ongoing compromise. Therefore, it is a good idea to add specific business context information to your SIEM consoles to be able to understand what is normal, and what is not, and give your security professionals the ability to pivot not only against real time data, but also to historical data. This is what you've probably know as big data security.
  2. Attackers in general are well funded, organized and they are increasing their capabilities at an extraordinary rate. Adding intelligence to your security operations deployments is then fundamental. As a regular business we can generate internal intelligence, however, external intelligence is necessary too: fusing the business enriched intelligence with external information, such as reputation feeds, social media chatter or other available security feeds will make us move away from the vertical intelligence approach to a spatial intelligence approach, which can help us gaining enhanced visibility of our threats.
  3. Attackers won't waste a lot of resources trying to exploit infrastructure vulnerabilities unless they provide with easy and direct access to your assets. The real devastating events happen when people become the targets.  In a world where interaction outside of our boundaries is growing, with business partners, supply chain third parties and global employee networks, to the whole chain needs to be in scope, given any could be a good entry point to your data and assets.
  4. Correlation used to be a good approach for monitoring purposes. Rule based systems made the difference some years ago. Now they don't. The infrastructure focus can help with commodity attacks, and monolithic use cases can articulate your prevention and response, but what really makes the difference  here is the transition to an adaptive risk perspective and threat modeling, with enhanced visibility and situational awareness to be able to deal with the attacks you have not experienced before.
  5. Unfortunately, this is not a one-time exercise. Do your best to increase your security capabilities to the bare minimum to be at least able to cover with quantifiable risks. Then move to the next level, and build on top of that foundation the necessary items to be able to deal with the emerging and sophisticated attacks. Bear in mind that attackers are working 24x7, worldwide, and they have patience and resources. Security operations needs to be continuously improved to be able to deal with ever changing threats.

I realize it is very easy to put in a piece of paper -or screen- these 5 ideas, but each has profound implications when they have to be landed in a real enterprise environment. I'm willing to discuss with you your specific situation. Feel free to call me or send me a line. If you have already covered the 5 items above, please let me congratulate you for that and encourage you to keep improving your security.

Deel dit bericht:


    Laat een reactie achter:

    Error parsing XSLT file: \xslt\RightColumn/Contacts.xslt