E
EFFECTIVE STRATEGIES FOR
DETECTING AND STOPPING
MALWARE ATTACKS solutions are typically oblivious that
someone other than a trusted user has
penetrated the network – until it’s too late.
ORION CASSETTO, DIRECTOR,
PRODUCT MARKETING AT EXABEAM Understanding the
attackers’ goals
Many organisations think, ‘We have
up-to-date, active antivirus (AV) software
running on all of our systems and have
alerts configured to notify us when
something serious happens.’ Missing from most legacy SIEM solutions
is an understanding of the difference
between goals of a trusted user and those
of an attacker. They’re not the same, yet
the same systems and actions are used
to accomplish their respective tasks.
But AV software provides only so
much protection – successful malware
detection and remediation doesn’t
ensure a system isn’t compromised.
The limitation of AV software – and that of
other solutions that target specific points
in the attack chain – is that it doesn’t
differentiate normal user and system
behaviours from the abnormal activity.
Numerous false positives pile up along
with the mountain of data collected
by your log management or security
information and event management
(SIEM) system, adding to the
background noise.
Throwing
resources at
individual malware
attack chain
phases is a losing
battle in the
ever-escalating
cyberwar.
www.intelligentciso.com
|
Issue 14
FEATURE
Knowledge of the ‘white space’
Behavioural analytics enables you to
easily compare normal versus abnormal
activities, so you are equipped to
examine what’s happening in these
‘white spaces’.
During a typical attack, the hacker
spends the most time – sometimes
weeks or months – in the middle of the
chain. Unfortunately, this is the least
visible section with most security point
and inline DLP products.
A valid attack can often go unnoticed,
hidden in the background noise that
is being generated by events that are
actually within the parameters of normal
behaviour for your users. But in deploying user and entity
behaviour analytics (UEBA), you can
focus on this critical area. Based on
deviation from normal behaviour, each
event is automatically scored as it
occurs and raises an alert if the score
reaches a predetermined tipping point.
The attack chain Focus on unusual events
Most security operations centres (SOC)
attempt to stop attackers at each phase.
And many organisations spend the bulk
of their security budget attempting to
detect the initial compromise at the
host or network level. They also might
implement a data loss prevention (DLP)
solution to try to catch data leaving the
organisation after an attack is underway. You can also gain insight into unusual
events by examining those that occur
the least often. For example, common
malware attacks that can be detected
and cleaned by your AV software
probably include thousands of adware,
malvertising, potentially unwanted
programs and other low-impact events.
But in examining more unusual events,
such as unique signatures and malware
your organisation has never seen before,
you can discover the more serious
threats more quickly, giving you more
time for mitigation.
There are a number of problems with
this approach. When stolen credentials
are used, there are multiple ways for an
attacker to successfully execute each
phase while impersonating a trusted user.
If one method fails, they simply try
another until they succeed in moving to
the next phase. Conventional security
Using a behavioural approach
Throwing resources at individual
malware attack chain phases is a losing
49