Enterprise security is more than just one moment in time



The changing nature of the threat landscape, and the ever-growing sophistication of hackers, means that the way organisations protect themselves against advanced cyber-attacks must change too. Hackers are no longer focused on what was traditionally deemed to be their destination – the perimeter of the enterprise. They're now focused on the journey itself, leveraging an array of attack vectors, taking endless form-factors, launching attacks over time, and cleverly hiding the leakage of data.

The reason that many of them are successful, is that most security tools today focus on prevention only – controlling access, detecting, and blocking, all at the point of entry. Typically, incoming files will be scanned only once, at an initial point in time, to determine if they're malicious.

In order to detect advanced threats, and breach activity, more effectively, security methods can't just focus on detection and prevention but, must also include the ability to mitigate the impact once an attacker has got inside.

Organisations need to look at their security model holistically and gain continuous protection and visibility along the entire journey – from point of entry, through propagation, and post-infection remediation.

To do this, we need a security model that combines a big data architecture with a continuous capability. Only then, can we overcome the limitations of traditional point-in-time detection and response technologies.

In this model, network and process-level telemetry data is continuously collected across all sources, while it is happening, so it is always up-to-date, when it is needed. Analysis is layered to work in concert, eliminating impact to control points and delivering advanced levels of detection over an extended period of time. And, analysis is more than just event enumeration and correlation; it also involves weaving telemetry data together, for greater insights into what is happening across the environment. Tapping into a broader community of users, global intelligence is continuously updated and shared immediately, and correlated with local data, for even more informed decision-making.

A continuous approach, together with big data analytics, enables transformative innovation in the battle against advanced threats. For example:

1. Detection that moves beyond point-in-time

A continuous approach enables detection to become more effective, efficient, and pervasive. Behavioural detection methods, like sandboxing, serve as inputs for continuous analysis and correlation. Activity is captured, as it unfolds, and intelligence is shared across detection engines and control points.

Related: The Internet of Things: increasing the security nightmare

2. Monitoring that enables attack chain weaving

Retrospection, the ability to go back in time to monitor files, process, and communication against the latest intelligence, and then weave that information together to create a lineage of activity, provides unprecedented insights into an attack as it happens.

3. Automated, advanced analytics that look at behaviours over time

Combining big data analytics and continuous capabilities to identify patterns and Indicators of Compromises (IoCs) as they emerge, enables security teams to focus their efforts on the threats that matter most.

Related: Weaponizing cats: one hacker takes it too far

4. Investigations that are more targeted, fast and effective

Transforming investigation into a focused hunt for threats, based on actual events and IoCs, gives security teams a fast and effective way to understand and scope attacks.

5. Containment that's swift

With the level of visibility the continuous approach provides, security teams can identify specific root-causes and shut down all points of compromise and infection gateways simultaneously, to prevent lateral movement of an attacker and, ultimately, break the attack chain.

In this model, detection and response are no longer separate disciplines or processes but, an extension of the same objective: to stop advanced threats.

Going beyond traditional point-in-time methodologies, detection and response capabilities are continuous and integrated.

It's what's required for advanced threat detection and response that's focused on the journey, not just the destination.

Sean Newman is a security strategist at Cisco

 




More

Apple and Google enabling cop-proof encryption

Google has announced that new versions of Android will automatically enable encryption by default, and like Apple they say it will protect people from the police.

NVIDIA Launches New GPU and Proves We DID Land On the Moon

Maxwell in NVIDIA’s new impressively powerful GPU, they used a desktop graphics card to prove that the moon landing photo that many believed was taken in a studio, and not on the moon, wasn’t a hoax.

Qualcomm Moves to Change the World and Create Real Superheroes

In Qualcomm's future your cell phone not only connects and can stream through all your TVs and Music devices if you want a tune you have on your phone on any music device in any room at any time you just push it there.