Story image

To thwart attackers, measure what matters

30 Sep 15

For years the security industry has focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness.

But Marc Solomon, Cisco vice president of security marketing, says that only tells part of the story – and there’s a more important measure – time to detection – that needs to gain prominence.

He says while measuring the percentage of blocked attacks still holds true as a way to demonstrate security effectiveness – after all the more threats blocked the fewer to deal with inside the network – it has flaws.

“We must continue to innovate and work diligently to get that number as close to 100% as possible,” Solomon says. “But that’s the catch.”

Solomon says despite increasingly more effective and sophisticated security defences, point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.

He says exploit kits, ransomware and advanced malware are just a few examples of the innovative tactics employed by cybercriminals.

“Angler is one of the exploit kits to watch. It uses multiple attack vectors including Flash, Java, Microsoft Internet Explorer and Silverlight vulnerabilities to get inside the network, as well as innovative techniques like domain shadowing [stealing domain registration logins and creating subdomains which it then rotates to hide the IP address of the server] to stay below the radar,” Solomon says.

Ransomware too, has become highly lucrative for hackers, Solomon notes, with operations maturing to the point that they are completely automated through the Tor anonymous web network, and use encryption to evade detection. Cryptocurrencies help conceal payment transactions.

Solomon cites the quickly mutating Dridex campaign as demonstrating a sophisticated understanding of how to evade security measures.

“By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments or referrers,” Solomon says. “They launch the campaign again, forcing traditional antivirus systems to detect them anew.”

He says the innovation race between attackers and security vendors will continue, but the dynamic creates a problem for organisations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel.

“They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not, and cannot, work together,” Solomon says.

“History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks.

“To get a more realistic measurement of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more, important: time to detection.”

Time to detection is the window of time between the first observation of a file and the detection that it is a threat, and Solomon says the gap exists because of the tactics cybercriminals use to slip through defences as ‘unknown’ and later exhibit behaviours that are malicious.

“Based on various reports, the current industry standard for time to detection is 200 days,” Solomon says. “That’s far too long.

“By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.”

Solomon says to catch these types of threats, retrospective capabilities must become part of our defences.

“These include the ability to identify malware that has already penetrated the network, see the file’s trajectory across the enterprise, quarantine affected devices and remediate,” he says.

“Retrospective security can only happen with an integrated threat defence that allows multiple security technologies to work together, sharing information to combat multifaceted attacks.

“An integrated threat defence not only accelerates time to detection and response, but also enhances our front line defences, updating policies as we uncover threats inside the network to eliminate the risk or reinfection.”

Says Solomon: “Stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.”

MulteFire announces industrial IoT network specification
The specification aims to deliver robust wireless network capabilities for Industrial IoT and enterprises.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Schneider Electric's bets for the 2019 data centre industry
From IT and telco merging to the renaissance of liquid cooling, here are the company's top predictions for the year ahead.
China to usurp Europe in becoming AI research world leader
A new study has found China is outpacing Europe and the US in terms of AI research output and growth.
Fujitsu’s WA data centre undergoing efficiency upgrade
Fujitsu's Malaga data centre in Perth has hit a four-star rating from National Australia Built Environment Rating System (NABERS).
Google says ‘circular economy’ needed for data centres
Google's Sustainability Officer believes major changes are critical in data centres to emulate the cyclical life of nature.
How to keep network infrastructure secure and available
Two OVH executives have weighed in on how network infrastructure and the challenges in that space will be evolving in the coming year.