17 October 2016 | 0
“We all hear about the big data breaches, about credit card databases being hacked and sold onto the dark web, about web sites being defaced. But actually what companies are really concerned about now isn’t those established traditional attacks — it’s the really stealthy attackers that don’t necessarily want to steal data but want to look at it. They want to be on your network without doing anything, just observing how it is configured.”
Slow trust attacks
Activity like this can allow attackers to perpetrate slow trust attacks with the goal not necessarily of just monetising data quickly, but undermining trust in whole systems. These kinds of threats are exceptionally difficult for traditional security systems to spot. It is for this reason that adaptive security is becoming more common.
“Machine learning is changing everything, and automation is going to be absolutely critical. There is no way even a large security team can keep up with the sophistication and speed of threats today — they’re only human. The solution is systems that are automatically learning and adapting autonomously,” Orton said.
“We’re talking about autonomously learning machines that understand what is normal and what is abnormal, and can spot the really early signs of suspicious behaviour or threats.”
According to Dermot Williams, managing director of Threatscape, different companies define the capabilities of adaptive security in slightly different ways.
“For example, Gartner gave one of the definitive views that we’d certainly be in agreement with, which is the idea that looking at security from a single point of potential compromise within your infrastructure doesn’t give you enough visibility anymore. You need to be knitting together the intel,” he said.
“For generations the military has had the phrase ‘operational security’, which is the idea that individual pieces of intelligence might not give too much away but taken as a group they can mean something. For example, in World War II it was the idea that loose lips sink ships.”
If a sailor tells a friend ‘we’ve been given new coats’ then that doesn’t mean much to the enemy, Williams explained. But if someone else tells the same friend ‘we’ve been given malaria jabs’ and a third person says ‘we’ve been given sun cream’, then those three pieces of information make up a pattern and the enemy might guess the destination of the ship as a result.
“Enough little bits of information can make up a pattern that can help the bad guys and that’s what adaptive security is attempting to do – it’s recognising patterns that would otherwise not be visible. It’s about observing that there’s so much activity at the perimeter of the network that you can’t necessarily spot a really sophisticated attack,” said Williams.
“But if we feed all that information into a platform that can interpret it, then we can spot it. And this is where companies like FireEye and Symantec are starting to do interesting things with products like Advanced Threat Protection. Microsoft has its advanced threat analytics (ATA) and we work with Logrhythm, which has good software for this.”
The idea is simple – a company’s antivirus software and firewall might not be able to tell there is an imminent threat to the network, but the information the two of them have together can help create a bigger picture.
“That’s what you need to do these days to be able to defeat the really sophisticated and persistent attackers, because the reality is they’re making so much money that they have the resources and the persistence and the ingenuity. They can go out and buy the same defences you’ve got and spend weeks coming up with a way to fool it,” Williams said.
The key to this kind of adaptive security is identity management, also sometimes known as contextual awareness.
“An awful lot of security systems for a long time have been based on the IP address that an end point has. Can this IP address go to that IP address? The answer is yes it can or no it can’t. Traditional security systems look at the traffic that they’re sending between the two based on some signatures and then either flag an alert or let it pass,” said Tony Davitt, technical solutions architect with Cisco.
“That doesn’t really cut it anymore. Instead it makes more sense to ask questions about this traffic, such as ‘is this person using this particular device at this time of day in this particular location allowed access to the network?’ What areas of the network are they allowed access to?”