Rapid Detection Is Key To Cyber Attacks On Business

Uploaded on 2017-05-22 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

There are now so many cyberattacks that many enterprises simply accept that hackers and bad actors will find ways to break into their systems.

A strategy some large businesses have developed over the past two years has been to quickly identify and isolate these attacks, possibly by shutting down part of a system or network so the hackers won't get days or weeks to root around and grab sensitive corporate data.

This enterprise focus on rapid detection and response to various attacks on networks and computers doesn't replace conventional security tools to prevent attacks. Instead, businesses are relying on both prevention software and detection software.

What's happened most recently is that security software vendors are developing means to evaluate attacks with advanced analytics. That analysis can be fed back into existing prevention systems to help thwart future attacks. Detection becomes part of a security cycle, at least in theory.

"There's a big focus on rapid detection and response in enterprises because prevention often misses the intrusions and malicious activities," said Gartner analyst Avivah Litan in an interview. The focus started in earnest about two years ago following a big increase in data breaches at US retailers, restaurants and hospitals.

"Security officials woke up and realized with $80 billion spent [in 2014] on prevention, a lot of attacks were getting through," Litan said. The main intent is to find attacks early "so that attackers won't get in and sit around for six months and silently steal information, as most attackers do."

James Moar, an analyst at Juniper Research, said the modern state of cybersecurity has evolved. "There is no longer a reliable network perimeter than can be guarded, but rather a series of risks that have to be mitigated or exposed," he said in an email. "In order to protect and secure such an environment, anomaly detection tools are the first step in determining if an attack is underway."

How Detection Helps

What typically happens when an attack is detected is that security managers will isolate it, often by confining the malware or other threat to a portion of a corporate network where, as few endpoints (servers and computers) as possible, can be attacked. For a large company, a network could be comprised of a number of combined smaller networks that can be arranged in a topology that allows many vital business functions to continue even when one portion is shut down.

"Folks in security management are doing a lot more segmenting of their networks these days, so that if they detect something major, they can shut off a portion," said IDC analyst Robert Ayoub, in an interview.

An old deception approach, called a honey pot, is coming back into vogue in networks inside some security groups, he said. "Research organisations and some managed service providers will try to lure [attackers] in to see what attacks are being used. We have seen a lot of renewed interest in deception technology, although there's not yet mainstream adoption."

Computer scientists at Penn State University described a decoy network approach to help deflect a hacker's hits. The researchers created a computer defense system that senses possible malicious probes of the network. Then, attacks were redirected with a network device called a reflector to a virtual network which contained only hints of the real network. The researchers simulated the attack and the defense without using an actual network but plan to deploy it in an actual network.
Detection software usually works by digging up anomalous behaviors. The most evolved detection systems work from a baseline of normal activity on a network or server, computer or other, endpoint device, Litan said.

A profile of normal behaviors by users, the amount and type of data transmitted in a system and other network activity are constantly compared with ongoing transactions using advanced analytics, she said.

"These approaches might even look at a user's activity relative to his colleagues to see if he's doing something unusual," she said. Recently, some security vendors have begun using machine learning to bolster the analytics.

Here's one example of how detection analytics might work: A procurement request made at 3 a.m. in Singapore by an employee based in London could be flagged as questionable. But the security system could check a corporate travel app and see that the employee had a flight and hotel booked in Singapore and then approve the procurement.

Or, a totally different result might occur, depending on corporate policies, such as requiring a manager's approval for the procurement.

Detection Products

Detection products are abundant and are being updated with the newest technology by nearly every security vendor, analysts said. "There are well over a hundred vendors in this space, including all the major names like McAfee, Cisco and Symantec, down to newer ones like Phantom," Ayoub said.

These products are deployed in the U.S. mainly by large banks, retailers, technology and defense-related companies, Litan said. Small and mid-tier companies have the option of hiring a managed service provider to provide detection services as part of a larger package of security products. Such service providers include large telecommunications companies, but also smaller cybersecurity firms like Cybereason and Crowdstrike, among others.

Gartner divides the detection technologies used by enterprises into three relatively new markets that incorporate advanced analytics. Endpoint [threat] detection and response (EDR) was more than a $600 million market in the U.S. in 2016. User and entity behavior analytics (UEBA) was a $100 million market last year. Network traffic analysis (NTA) is a third new area, but Gartner didn't provide an estimate for the size of that market.

These newer detection markets can be compared to a much larger but older detection technology market called security information and event management (SIEM), which Gartner said reached about $1.6 billion in US revenues in 2016. The major distinction between SIEM and the newer technologies is that SIEM is rules based, while newer detection systems rely on advanced analytics which typically, but not always, include machine learning software, Litan said.

Advice to Security Teams

A combination of newer detection tools with older prevention tools is how large enterprises are typically addressing their security needs.

"With security, there's always room for improvement, and you'll never solve all security problems," Litan said. "You can't only have prevention. You have to have detection, but there's no silver bullet."

Jack Gold, an analyst at J. Gold Associates, agreed. "It's not really one or the other," Gold said. "If you can find a hack quickly and shut it down, then you've essentially prevented a breach. The best approach is one that's layered with both prevent and detect. Just to have one or the other isn't as secure as deploying both. Many vendors are moving in that direction as well."

Juniper's Moar said it is "vital" for enterprises to have a detection tool that works well with their prevention and mediation software.

"Having a tool that shows threats is useless if you can't counter those threats," Moar said. "Software that seeks out new connections on the company network, making them visible to security detection and remediation, eliminates this problem."
Before a company buys detection products, Litan said there are a series simple steps that can be taken to tighten up systems. That includes what may seem obvious: remove administrator privileges from end user accounts so that malware can't be distributed throughout a system.

"There's a lot you can do before spending more on detection as you wait for vendors to get smarter. My main piece of advice is you make sure you work closely with the vendors and make sure you have their current version," Litan said.
Litan said vendors are working on developing automated detection tools that may eventually reduce a company's heavy reliance on security analysts to track attacks.

Even so, Ayoub said security remains an ever-expanding field that will continue to rely on people power. "If a security event happens, a company will start collecting data around it, which still requires certain skill sets that aren't generally available. We still need security analysts to track this stuff down."

Computerworld

You Might Also Read:

Directors Report January 2017. Cyber Security Checklist For Management (£):

Technology Can Not Diminish Insider Threats By Itself:

Four Steps To Managing Cyber Security Better:

 

« Just Who Are Russia's Cyber Warriors?
Systemic Cyber Attacks Most Likely In Finance & Energy Industries »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

National Defence Radio Establishment (FRA) - Sweden

National Defence Radio Establishment (FRA) - Sweden

The National Defence Radio Establishment (Försvarets Radioanstalt), is the Swedish national authority for Signals Intelligence, also providing Information assurance services to government authorities.

Certes

Certes

Certes is a pioneer in delivering cutting-edge security technology solutions, with a specific focus on Data Protection Risk Mitigation (DPRM).

Ridgeback Network Defense

Ridgeback Network Defense

Ridgeback is an enterprise security software platform that defeats malicious network invasion in real time. Ridgeback champions the idea that to defeat an enemy you must engage them.

CryptoTec

CryptoTec

CryptoTec is a provider of security concepts and encryption solutions for secure communication between decentralized computerized systems.

Cyber Army Indonesia (CyberArmyID)

Cyber Army Indonesia (CyberArmyID)

Cyber Army Indonesia (CyberArmyID) is the first platform in Indonesia to collect and validate reports from hackers (referred to as Bug Hunter) regarding vulnerabilities that exist in an organization.

authUSB

authUSB

authUSB Safe Door is a tool that provides secure access to the content of USB devices that circulate in organizations.

Assertion

Assertion

Assertion secures your collaboration (UC/CC) systems from cyber risks. Enforcing the right set of controls and monitoring them continually brings down risk to acceptable levels.

Department of Justice - Office of Cybercrime (DOJ-OOC) - Philippines

Department of Justice - Office of Cybercrime (DOJ-OOC) - Philippines

The Office of Cybercrime within the Philippines Department of Justice is the Central Authority in all matters relating to international mutual assistance and extradition for cybercrime.

Ensurity Technologies

Ensurity Technologies

Ensurity is a deep-tech cybersecurity engineering company; designs and manufactures specialized secure hardware, software, and mobile application solutions.

Sekuro

Sekuro

Sekuro is your leading governance and cyber security partner. Building organisational resilience. Enabling fearless innovation.

NGN International

NGN International

NGN International is a full-fledged systems integrator and managed security services provider established in 2015 in Bahrain.

Tech Seven Partners

Tech Seven Partners

At TechSeven Partners, we provide a full suite of cyber security solutions for your business including network monitoring, onsite and cloud backup solutions, HIPAA or PCI compliance.

Lightpath

Lightpath

Lightpath is revolutionizing how organizations connect to their digital destinations by combining our next-generation network with our next-generation customer service.

CyberHive

CyberHive

CyberHive offer a complete suite of threat protection modules that seamlessly integrate to block current, as well as future threats.

Aryon Security

Aryon Security

Aryon Security is redefining cloud security with the ability to enforce cloud strategy with confidence, enabling organizations to prevent risks before they emerge.

Sorenson Capital

Sorenson Capital

Sorenson Capital is a leading venture capital firm focused on investing in early and growth-stage AI, cybersecurity, B2B software, and DevOps & infrastructure companies.