security
TURNING THE TABLES
Kasey Cross of LightCyber explores the limitations of traditional security and looks at different ways to win the war on cybercrime .
With the fall out growing each day from the massive Yahoo ! data breach , most enterprise security professionals should be asking the question , ‘ Could an active attacker be in our data centre right now ?’ A corollary question would be , ‘ How would we even know if an attacker was in our data centre ?’
A recent Lloyd ’ s study showed that over 90 per cent of European companies suffered a data breach at some point over the past five years . As Lloyd ’ s chief executive officer recently commented in various press accounts , ‘ I ’ m afraid we no longer live in a world where you can prevent breaches taking place , instead it is about how you manage them and what measures you have in place to protect your business and importantly , your customers . As recent events have shown , hard earned reputations can be lost in a flash if you do not have the correct plans in place .’
A new report by Conservative members on the London Assembly estimated that in 2015 , in London , 329,515 organisations experienced some form of security breach .
Even philanthropic organisations are not exempt from the ravages of cybercrime . In July , the UK debt relief charity Christians Against Poverty was hit by network attackers . Cybercrime is outpacing all other crime in the UK , according to the National Crime Agency .
Clearly , most companies are losing the battle of the data breach . The industry average ‘ dwell time ’ for a network intruder to go undetected is about five months . Five months is an enormous amount of time for a network intruder to orchestrate a complex attack and accomplish all of his or her goals . Therein lies the problem – attacks cannot be stopped because the attackers cannot be detected .
Identify and block Traditional security revolves around encountering a threat and then developing ways to identify and block it . The data breach threat demands adding a new approach , one that is based on detecting the operational activities of an attacker as manifested on the network . Our recent Cyber Weapons Report , based on six months of research in the first half of 2016 , showed that after the initial intrusion , attackers don ’ t use malware to conduct reconnaissance or lateral movement , which are instrumental steps in an advanced attack . If traditional security controls can only find malicious software , they won ’ t be able to catch active attackers or detect post-intrusion activity .
When attackers land in a network , they are essentially blind , and chances are they will need to work their way to valuable assets . The most common intrusion involves compromising a user computer or account . From this initial foothold , attackers must survey the network , locating assets – particularly in the data centre – and finding a way to get to them . These activities can stand out against the normal , expected ones from users and devices .
While detecting an active attacker is achievable , it is difficult to do so without having established the ‘ known good ’ and using it as a baseline to find anomalous behaviours . This profiling of users and devices is something that should be done continuously and with sufficient depth . Behaviour should be understood in terms of a timeline , peers , job function , history and other important
20