This article is more than 1 year old

What are you doing to spot a breach?

It’s probably already happened, but you just haven't seen it...

How do you distinguish between normal behaviour/threats

Distinguishing between these different modes of behaviour is an important skillset for IT departments trying to spot attackers inside their network, but it’s doable with the right tools, say experts. It’s all a question of mathematics, said Northcutt.

“Twenty years ago the US Navy spent about a million dollars for a bunch of PhD statisticians to determine that like groups of people using like systems have a very similar network traffic footprint,” he said, adding that we have been using statistical techniques to baseline normal behaviour for years now.

One form of attack involves malware that enters a network and then moves laterally, trying to find any data it can, and then exfiltrating it. Software designed to baseline regular employee behaviour and then spot anything that deviates from the norm may be able to spot the unusual patterns that this malware may generate.

Is a user account sending large amounts of data from an account that normally doesn’t? Is it encrypting that data, when it is normally sent over the internal company network in plain text? Why is it sending it at 2am when all employees are normally long gone? All of these things can raise flags in a suitably-equipped system.

Where do you start when choosing tools

Training people to be security aware is an important part of stopping breaches, but CISOs will never eradicate those problems entirely. A technology layer provides a vital layer of protection. Don’t be distracted by emotions or industry buzzwords when choosing these tools, said Stevens.

He recommends first identifying what data you want to protect (adding that this is more difficult than you’d imagine for many companies). Talk to compliance managers and line of business owners to identify this information, and then work out what category of tool would best block the egress of that data.

Companies can hone their priorities by focusing on a security framework like NIST’s, using it to establish areas where they need to improve. “Then it’s about ensuring that those purchases are improving your security posture as well as catering to compliance requirements that you may have,” he said.

At the very least, though, he recommends a web and email security gateway, along with a data leak prevention (DLP) tool to monitor and prevent things from leaving.

“Essentials are always going to be network monitoring tools,” said the ISF’s Durbin, adding that companies can build out their tool sets as they become more sophisticated. “The more advanced will focus on big data and trying to anticipate breaches and identify weaknesses in the security perimeter.

Best of breed vs holistic approach

Should companies buy a single security platform offering a holistic approach, or focus on point solutions instead?

“I would always vote on holistic, mainly because we aren’t seeing point channel solutions that are very effective,” said Stevens. The main problem with best of breed solutions is visibility, he argued. If you’re purchasing point solutions from multiple vendors, then integrating them to create a coherent view of your organizations’ security incidents can be challenging.

Your view of security needs to be watertight, not least because incidents in one domain that seem incongruous might suddenly gain more significance if you’re able to correlate them with other incidents happening elsewhere.

A single pane of glass can help to ensure a consistent view of everything that’s happening across the various aspects of your infrastructure, from email scanning through to web gateways.

The good news is that while many of the threats facing companies are sophisticated, many of them rely on the least amount of effort to infiltrate a company. Attackers will go for unpatched, out of date software versions and misconfigured machines if they can, to avoid giving away their zero-day secrets. Using tools to keep a watchful eye on your network, endpoints and data is one part of the solution. Good threat intelligence is another. Just as important, though, are proper conversations with business counterparts to understand what data you should be trying to protect in the first place. ®

More about

TIP US OFF

Send us news