In a very interesting article on TechCrunch, Michael Schiebel writes about the various ways in which security analysts can learn from data scientists. He makes a couple of points that are worth highlighting.
Today, hacking is a much more complex art than it used to be: It no longer only involves just scanning and penetrating the network via a vulnerability. Yet the traditional security tools used by most companies are often inadequate because they still focus on this
As any security professional can attest to, hacking nowadays has become easier than ever. Just a few years ago, script kiddies were relegated to using the venerable Nmap and brute force programs like THC Hydra. Nowadays it’s a different story. There are a plethora of highly sophisticated (and effective) exploit tools such as Metasploit, the Social Engineering Toolkit and Powershell Empire. These tools are easy to learn, easy to extend, and excellent at what they do. Not only that — most of the tools are free and open source. At any stage of the attack lifecycle hackers can find amazing tools to help them do their job.
Yet we as cybersecurity vendors are lagging behind especially when it comes to tool-sets. As Michael states:
Most tools are still role-based, with signatures, detection and response rules. That’s their downfall.
Again, we couldn’t agree more. Signature based tools still play an important part in cyber defense, but the defense-in-depth principle requires us to deploy tools which can mitigate those threats which pass through our outer rings of defense. Luckily, cyber defense tools are evolving, with the help of open-source innovation in both security and big data fields.
Focus on the abnormalities
This is what it’s all about. Effectively finding abnormalities in your network has a couple of very important benefits to your organization:
- It forces you to be more aware of your networks and systems. You are required to investigate abnormalities and effectively determine if an abnormality is expected or malicious. The more aware you are of your environment, the less time it takes you to realize when something goes horribly wrong (like in the event of a hack…)
- With the proliferation of advanced attack vectors (like the steganographic attacks I recently wrote about) and cloud computing, it’s very easy for hackers to use legitimate services to carry out their attacks in such a way as to avoid tripping signature based alarms. Signatures that target AWS or Twitter would be triggered so many times that they would be ignored, even though they are potential avenues of attack already being exploited by hackers. Abnormality detection systems can flag connections which use these services in weird ways (too much data being transferred, too many connections being done, periodic connections to previously unused endpoints, and so on…)
At this stage it’s important to note that abnormalities do not automatically mean malicious activity… an anomaly based system highlights those events that deviate from the norm. There are several examples of genuine anomalies which are not malicious:
- Marketing executes a successful campaign resulting in a flood of connections to your webservers
- A misconfiguration is introduced during one of your changes to a backup system which causes high volume traffic to flow through the wrong network path
- Your organization engages with customers in new markets, leading to your network having new traffic patterns to previously non-contacted countries and Autonomous Systems
These are practical examples of how an anomaly based system increases your team’s awareness of the environment. This leads me to prefer referring to anomaly based systems as “cyber-awareness” platforms rather than simple “cyber-defense”.
The real problem in most organizations is that too much security alert data is coming in too fast.
Michael again hit the nail on the head here. If your security analysts are investigating too much data, then no wonder we’re seeing alarming headlines such as:
Anomaly based IDS help your analysts focus on those alarms that can be important, reducing their mitigation time and efficiency — and at the end of the day this is what translates to cost savings for the organization
Here at CyberSift we are building next generation anomaly detection systems which are based on the above principles and add an effective layer of defense which counters new threats as they emerge without the need of signatures or rules, all the while increasing your team’s cyber-awareness of their systems and networks. Stay tuned for exciting developments…