As successful data breaches are carried out seemingly at will, it’s obvious we need to adapt our defenses to match them.
“Know your enemy” is a common mantra among security professionals. The industry has quickly developed a great understanding of the well-funded, highly structured, targeted cyberattack. In contrast, our defenses remain fragmented, both technically and operationally. Disorganization only makes an attack easier for the adversary to execute — and makes our jobs as defenders all the more difficult, time-consuming and inefficient.
As legacy perimeter and signature-based defenses have proven to be fundamentally flawed, a sharper focus must be put on understanding exactly how our adversaries carry out attacks and designing equally structured response systems to disrupt their efforts.
While organizations have many models for structuring their IT security and operations teams, we find the best ones recognize the need to integrate these two groups. They structure them to provide both proactive and reactive security functions that map directly to the attack.
Proactive: Getting Ahead With Endpoint Protection
Why is a proactive security component so critical, and what exactly does a proactive strategy mean? Consider the following simple but devastating statistics:
- Just 54 new zero-day exploits were discovered in 2015, meaning the vast majority of successful attacks did not need to use them.
- The vast majority of attacks — 99.9 percent — exploit existing, known vulnerabilities.
- About 90 percent of attacks leverage the same 10 CVEs, some of which have been known for years.
Based on these numbers, it is clear that organizations could take some highly effective preemptive measures to make it more difficult for an attacker to gain a foothold in any given environment. By maintaining a continuous cycle of endpoint management and patching that constantly discovers, evaluates and removes vulnerabilities, overall risk can be drastically reduced.
Security and IT operations teams should focus on the flaws attackers are actually utilizing. This is more effective than the overwhelming task of trying to eliminate every known vulnerability or focusing too heavily on sophisticated mechanisms that are rarely used.
Reactive: Leveraging Tools to Improve Response
However, even the most proactive teams will be unable to keep all attackers out. Organizations are often poorly equipped to recognize malicious activity within their borders, identify the mechanisms being used and remediate vulnerabilities quickly. This results in extended dwell times before attacks are thwarted and increased losses, as highlighted here:
- The average time required to detect and contain a breach is 271 days.
- The increased cost associated with breaches lasting more than 100 days is $1 million.
But almost every step of every attack creates an indicator that an activity has taken place. If all these indicators are collected and analyzed, associations can be made, patterns and anomalies recognized, and root causes identified. With the help of the right tools looking in the right places for the right patterns, we can take the right actions. Adversaries will no longer be able to roam their victims’ infrastructure at will.
As part of our integration partnership, IBM and Carbon Black are developing technology to make the risk identification process easier. By shedding light on which vulnerabilities attackers are actively targeting on your systems, identifying what needs to be immediately patched and providing you with additional context into the relative risk posed by vulnerabilities, we can empower you with the information and context necessary for precise attack detection and vulnerability remediation.