Light Dark
April 9, 2015 By Gretchen Marx 5 min read
Advanced Threats

Every year, thousands of companies evaluate their current security posture and implement solutions to help fill gaps in their security programs. The following are four security myths that may keep your organization from moving to a higher level of security:

Myth: Your Company Is Not Infected

Reality: Attackers Bypass Traditional Security Defenses Every Day

Your company is infected; every company is getting attacked every day. What makes it so hard to find the attackers? They certainly don’t stand up and say, “Hi, I’m in your system.” Instead, they lie low for weeks — even months — until they’re ready to attack critical systems and steal your data. Or, they exploit vulnerabilities on Web-facing applications to quickly grab data before you realize what happened.

There has been a focus on building layered security defenses for years. However, traditional security architectures and tools are failing in today’s threat landscape; they just can’t see the threats. In one study published by the Ponemon Institute, advanced attacks went undetected for an average of 225 days. The following are some ways you can you defend against advanced threats:

  • Stop Unknown Threats: Antivirus, firewalls and other signature-based defenses are good at stopping known threats or blocking traffic that matches a specific pattern. However, attackers have gotten incredibly savvy; they know these tools are looking for known signatures. Therefore, they mutate their threats just enough so tools can’t detect them — or worse, they use zero-day exploits nobody knows about. You need to be able to stop threats you’ve never seen before. This requires new technology to identify when attackers are exploiting applications or protocols to gain unauthorized access to systems and install malware. You need to shield against entire classes of vulnerabilities, not match known exploits.
  • Identify Anomalies and Weaknesses: You can find evidence of an attack by analyzing behaviors and identifying anomalies, such as a behavior that is out of the ordinary for the individual, data that is going places it shouldn’t go or users who are logging in from strange locations at unusual times. You need to alert your security team to these vulnerabilities in their configurations and help them manage the thousands of vulnerabilities with automated tools.
  • Understand and Remediate Incidents: If an attacker does get through, your security team needs alerts to detect it quickly. They need to understand what happened so they can remediate it.

Start looking into behavioral controls, advanced analytics, forensics capabilities and threat research to get ahead of the attacks on your company. All this protection has to apply across your entire infrastructure, from your networks and endpoints to your data and applications. It also has to apply in the data center, on physical devices, on virtual machines and in the cloud.

Myth: You Are Spending Your Money Wisely

Reality: Security Spending Does Not Align With Risk

Security is tough. There is a lot to protect and not enough budget to make it all happen. That’s why you should consider taking a risk-based approach.

Organizations are buried in data, but according to one recent study, just 2 percent of the data in a company represents 70 percent of its critical assets, such as customer information, intellectual property, marketing plans and sales plays. Do you know where that information is? Have you identified it? Have you determined whether it is in structured or unstructured form, in the data center or on the cloud? This is crucial to really protecting your organization.

Do you know who is accessing your most critical data? Some of those users, such as database administrators, have elevated privileges. How can you determine whether their actions, either malicious or inadvertent, are putting your data at risk?

Based on a study performed by the Ponemon Institute, the highest security risk is at the application layer. Yet organizations often focus on the network layer, allocating most of their resources and attention there. You are adding new Web and mobile applications on a weekly or possibly even a daily basis. Have you scanned every one of those apps for security holes?

You need to provide protection not only to the data, but to applications that transform that data and the people who access and use it. Adopting a multilayered, risk-based defense can help you protect your critical assets in the data center and the cloud, provide extra protection for privileged users and identify vulnerabilities in Web, mobile and back-end production applications.

With capabilities to discover, protect and monitor your data, applications and people, you can help ensure your organization is guarding the right assets at the right time from bad actors.

Myth: Innovation Is Too Risky

Reality: Cloud and Mobile Will Reinvent Security

It is not a question of if you will use cloud and mobile solutions, but when. The cloud provides the agility and flexibility to allow you to grow your IT capabilities at speed and scale while reducing costs.

As cloud adoption grows, companies have more resources — applications, data and services — residing on different platforms; some run on public clouds, while others run on private clouds. The cloud can give you the opportunity to do security over and do it right with a diverse portfolio of services.

Look for a vendor that has security capabilities that extend from the data center to the cloud so your security team can seamlessly manage both environments. You need to be able to manage user access, protect the data you’re moving to the cloud and identify vulnerabilities in new applications on the cloud, all while maintaining visibility across both the data center and the cloud.

Mobile devices need protection for the device itself, for the content and applications on the device and for the transactions going from the device to your back-end systems.

In short, work with a vendor who can help build security in from the beginning and wrap security around both cloud and mobile initiatives.

Myth: You Can Do This Alone

Reality: Security Requires a Collective Defense

Wouldn’t it be nice if you had access to information about what’s happening right now across the entire Internet? What’s happening to peers in your industry? What are the latest vulnerabilities?

Businesses need to get better about sharing data, because the bad guys sure are.

Look for vendors who embed global threat information in their products and services, and take advantage of sharing resources throughout the industry. Without viable global threat information, your company is operating in the dark. At the same time, you may be challenged to find the right people to staff your security team: Almost 83 percent of companies report that they can’t find people with the needed security skills.

Focus on the security controls for which you have in-house expertise, and look for help from a trusted partner to augment your team where you have gaps.

Busting Security Myths With Thoughtful Intelligence

Traditional security defenses are no match for today’s unrelenting, well-funded attackers. Organizations must avoid buying into these security myths and accelerate their ability to limit new risk and apply intelligence to stop attackers, regardless of how advanced or persistent they are. New analytics, innovation and a systematic approach to security are necessary. Forward-thinking organizations can establish a favorable risk posture that reduces the likelihood of costly exposures, liberating their budget for innovation and turning risk into opportunity.

 |  |  |  |  |  | 
Gretchen Marx
Strategy Program Manager, IBM Security

More from Advanced Threats
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

November 6, 2023

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

August 2, 2022

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature