Story image

To thwart attackers, measure what matters

30 Sep 2015

For years the security industry has focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness.

But Marc Solomon, Cisco vice president of security marketing, says that only tells part of the story – and there’s a more important measure – time to detection – that needs to gain prominence.

He says while measuring the percentage of blocked attacks still holds true as a way to demonstrate security effectiveness – after all the more threats blocked the fewer to deal with inside the network – it has flaws.

“We must continue to innovate and work diligently to get that number as close to 100% as possible,” Solomon says. “But that’s the catch.”

Solomon says despite increasingly more effective and sophisticated security defences, point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.

He says exploit kits, ransomware and advanced malware are just a few examples of the innovative tactics employed by cybercriminals.

“Angler is one of the exploit kits to watch. It uses multiple attack vectors including Flash, Java, Microsoft Internet Explorer and Silverlight vulnerabilities to get inside the network, as well as innovative techniques like domain shadowing [stealing domain registration logins and creating subdomains which it then rotates to hide the IP address of the server] to stay below the radar,” Solomon says.

Ransomware too, has become highly lucrative for hackers, Solomon notes, with operations maturing to the point that they are completely automated through the Tor anonymous web network, and use encryption to evade detection. Cryptocurrencies help conceal payment transactions.

Solomon cites the quickly mutating Dridex campaign as demonstrating a sophisticated understanding of how to evade security measures.

“By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments or referrers,” Solomon says. “They launch the campaign again, forcing traditional antivirus systems to detect them anew.”

He says the innovation race between attackers and security vendors will continue, but the dynamic creates a problem for organisations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel.

“They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not, and cannot, work together,” Solomon says.

“History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks.

“To get a more realistic measurement of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more, important: time to detection.”

Time to detection is the window of time between the first observation of a file and the detection that it is a threat, and Solomon says the gap exists because of the tactics cybercriminals use to slip through defences as ‘unknown’ and later exhibit behaviours that are malicious.

“Based on various reports, the current industry standard for time to detection is 200 days,” Solomon says. “That’s far too long.

“By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.”

Solomon says to catch these types of threats, retrospective capabilities must become part of our defences.

“These include the ability to identify malware that has already penetrated the network, see the file’s trajectory across the enterprise, quarantine affected devices and remediate,” he says.

“Retrospective security can only happen with an integrated threat defence that allows multiple security technologies to work together, sharing information to combat multifaceted attacks.

“An integrated threat defence not only accelerates time to detection and response, but also enhances our front line defences, updating policies as we uncover threats inside the network to eliminate the risk or reinfection.”

Says Solomon: “Stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.”

Dropbox invests in hosting data inside Australia
Global collaboration platform Dropbox has announced it will now host Australian customer files onshore to support its growing base in the country.
Opinion: Meeting the edge computing challenge
Scale Computing's Alan Conboy discusses the importance of edge computing and the imminent challenges that lie ahead.
Alibaba Cloud discusses past and unveils ‘strategic upgrade’
Alibaba Group's Jeff Zhang spoke about the company’s aim to develop into a more technologically inclusive platform.
Protecting data centres from fire – your options
Chubb's Pierre Thorne discusses the countless potential implications of a data centre outage, and how to avoid them.
Opinion: How SD-WAN changes the game for 5G networks
5G/SD-WAN mobile edge computing and network slicing will enable and drive innovative NFV services, according to Kelly Ahuja, CEO, Versa Networks
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
AMD delivers data center grunt for Google's new game streaming platform
'By combining our gaming DNA and data center technology leadership with a long-standing commitment to open platforms, AMD provides unique technologies and expertise to enable world-class cloud gaming experiences."
Inspur announces AI edge computing server with NVIDIA GPUs
“The dynamic nature and rapid expansion of AI workloads require an adaptive and optimised set of hardware, software and services for developers to utilise as they build their own solutions."