More Data than Sense.
As we look at the responses, most of these detection and correction efforts combine human expertise with tools and data. All efforts can be improved through access to and better interpretation of relevant data, policy-based workflows, and appropriate and facilitated automation. So what’s holding these valiant security operations teams back? Turns out that security has been a cost of doing business, treated as overhead, with few metrics and limited risk analysis. There’s an infrastructure, but not a conscientious and resilient architecture. Silos of People, Process, and Technology Traditionally, security projects have been chosen, implemented, and operated with an eye to solving a specific problem: protection, detection, correction, and (separately) compliance. Few security teams have had architects articulating an integrated design or an adaptive model. Unlike other long-term infrastructure in IT, until recently security products have not adopted a common data sharing model, messaging infrastructure, or efficient way to link and maintain process integrations that cross workgroups. Instead, security products have been chosen by desktop, network, and compliance buyers without a conscious plan to integrate, enable data sharing, or establish the resilience necessary to keep up with increasingly subtle threats. They have been minimally maintained and replaced when contracts expire, rather than as business and technology changed. ‘Set and forget’ was a legitimate goal for some security gear. If this description sounds like your organization, you should understand that attackers use this antique approach against you. They’ve proven that point-product decisions create white space. Their toolkit-based and targeted attacks use this weakness to penetrate, persist, and strike— at sensitive data, vulnerable systems and applications, and critical infrastructure.
To protect, detect, and correct more effectively, review your incident response program to see how well it functions as a machine. Is it a network of separate components, or an integrated, high-performing, and continuously available system? How well do each of the processes integrate with and enrich each other? Is it a closed and continuous loop? As you optimize the protect, detect, and correct steps, you’ll synthesize IT operations and security controls to form an agile, increasingly automated architecture. Here’s how you make it happen. While prevention shouldn’t need an overhaul, each control in your arsenal could use a check-up, particularly with respect to threat intelligence and malware detection. Customized attacks likely start with phishing, corrupted websites, evasive techniques, and zero-day malware. Several actions improve countermeasure effectiveness and prevent incidents that may be sophisticated, but not necessarily highly targeted. Take full advantage of the capabilities available in the preventative controls you already have. Harden and isolate systems from attack using endpoint suite features such as application blocking and behavioral signatures. Let email and web gateways detect and block suspicious files, sites, and phishing messages before they reach the user. Software updates, add-on modules, and Security-as-a-Service are the lowest cost, lowest disruption ways to acquire current features. Integrate threat intelligence into countermeasures bidirectionally, so your controls share discoveries with each other and with researchers and other corporations. For instance, endpoint, email, and web protections consume, generate, and share threat intelligence with networked analytic for closed-loop threat analysis. This allows you to move from a mode of constant tactical encounters to learning and adapting. Finally, make your architecture adaptive using automated blocking based on evolving reputation, risk scores, and policies, or other attack understanding. These efforts should be considered part of ‘routine maintenance’ for your security infrastructure.