By: Raj Samani, VP & CTO, EMEA, Intel Security
Attackers today use multiple techniques to penetrate an organizations’ infrastructure and compromise their vital data assets or systems. This problem has only been exasperated with the proliferation of the cloud and IoT and today’s targeted multiphase attacks consist of a series of steps that make up the cyberattack chain: reconnaissance, scanning for vulnerabilities, exploitation, and, finally, exfiltration of valuable corporate data.
As attacks grow in complexity, precision, and volume, yesterday’s approach to Threat Intelligence (TI) is no longer adequate. Investigating targeted attacks is no easy task. The dynamic behavior of the attackers, the greater variety and availability of local and global threat intelligence sources, and the diversity of TI data formats can make the aggregation and digestion of threat intelligence into security operations center (SOC) tools more challenging than ever before.
A mixed-vendor environment, which is typical of most enterprises, adds to the difficulty of sharing event data and promoting event visibility throughout the organization. As Gartner points out in its report, Technology Overview for Threat Intelligence Platforms, “An organization’s inability to share TI is an advantage to cyber threat actors. TI sharing is a force multiplier and is becoming a key element in keeping up with the increasing number of threat actors and the attacks they use”1
The Case Against Point Solutions
Sharing threat intelligence alone will not necessarily result in sustainable corrective action and prevention. Security analysts can quickly become overwhelmed with too much information. Most security teams are engaged in an exhausting manual process of analyzing millions of security events and suspicious files in an effort to piece together a mountain of data and try to reconstruct the targeted attack. Ultimately, this impairs the thoroughness and speed of the response process. With a less-than-complete comprehension of threats, security teams are struggling to contain attacks in a timely manner.
These challenges result from insufficient integration between inspection, intelligence gathering, analytics, and enforcement elements of the security architecture. Silos of data and point controls complicate operations and increase risk. For example, the data each control generates and the context of each situation are poorly captured and seldom shared. A firewall may block a payload coming from an untrusted domain because it knows about communications, not malware. It will permit that payload coming through a trusted domain. Similarly, anti-malware could block unknown payloads received from known bad addresses if it knows to think beyond the payload or look within the payload to consider IP addresses.
Unintegrated security functions like these keep organizations in a firefighting mode, always reacting and pouring human resources into each breach. Process inefficiency exhausts scarce investigative resources and lengthens the timeline in which data and networks are exposed to determined attackers. These islands of security products, data sets, and operations give sophisticated attackers ample space and white noise in which to enter, hide, and persist within the targeted organization.
An Integrated Approach to the Threat Defense Lifecycle
Integration improves effectiveness, as active sharing of data and accelerated cross-control processes make it practical and possible for every security control to leverage the strengths and experiences of the others around it. It is an adaptive threat prevention model that is quickly replacing traditional, unintegrated architectures as security teams work to achieve sustainable advantage against complex threats.
Rather than treating each malware interaction as a stand-alone event, an adaptive threat prevention model integrates processes and data through an efficient messaging layer. This provides reinforced levels of inspection and analysis informed by expanded forms of intelligence and connects end-to-end components to generate and consume as much actionable intelligence as possible from each contact and process.
Protect, Detect, Correct
The shift to adaptive threat prevention helps overcome the all-too-common functional fences that shackle detection, response, and any chance of improved prevention. This transformation requires IT teams to adopt a protect-detect-correct approach. Protection involves enabling users to be more productive while blocking the most pervasive attacks and disrupting never before seen techniques and payloads. Detection requires the gathering of both local and global security intelligence, integrating an array of behavioral and contextual analytics, and leveraging centralized management for better insight, more effective threat identification and faster investigation of events. Finally, correction should streamline the threat defense lifecycle by facilitating triage, investigation, and remediation, all while learning from security incidents and continually evolving, providing the organization better protection going forward.
By unifying protection, detection and correction with real-time centralized management into an adaptive feedback loop, known as the threat defense lifecycle, security then evolves and learns in an iterative cycle that improves over time. This model helps organizations become more effective at blocking threats, identifying compromises, and implementing remediation as well as countermeasure improvements more quickly.
In today’s world where every business is always on and (close to) everything is always connected, there is no silver bullet when it comes to securing an organizations’ critical assets. To shorten response times and contain the largest number of threats possible, organizations, need a holistic security approach that addresses the entire threat defense lifecycle, seamlessly integrates and offers a truly connected approach to putting actionable threat information and control at the fingertips of security management teams — all with the fastest available performance to enable the organization to take action in real time.