Speeding Up Breach DetectionOrganizations Must Balance Technology, Process Improvements
See Also: Threat Intelligence - Hype or Hope?
One reason for the lengthy detection time is two-thirds of organizations are told about a breach by a third party, rather than discovering it themselves, says Dave Merkel, chief technology officer at FireEye. "It's the FBI showing up with your 'wallet,'" he says. "Or even worse, your customer shows up [to tell you about a breach]."
Organizations looking to speed up breach detection on their own, rather than relying on others, need to improve their data analytics capabilities, prioritize the type of data they want to collect and analyze, and ensure they have appropriate staff who can take the time to review the data for suspicious activity.
In addition, entities in all sectors need to leverage their networks to segment and protect critical data, participate in threat intelligence sharing to spot signs of a breach and proactively scan the Internet for company data that could indicate a compromise has happened.
The bottom line? Security professionals need to pay as much attention to breach detection as they do to breach prevention, experts say. "We know that breaches are going to happen," says Mike McCann, a consultant at Signum Security, which advises organizations on security matters. "What can we do to mitigate response times and mitigate the impact?"
But while it's easy to blame poor breach detection on security professionals "not paying attention," the bigger issue is the complexity of networks, says Anton Chuvakin, a vice president of the security and risk management research team at Gartner. "IT complexity just makes detection very difficult."
Too Much Data
The main problem with breach detection is the "sheer overload" of data that an organization has to comb through to find anomalies, says Mike Lloyd, chief technology officer at RedSeal, a network security firm. That information can come from social media, e-mail, SIEM [security information and event management] data, malware alerts and Web pages, and can include telecom data, unstructured data, IP addresses and more.
In the Target data breach, for instance, the retailer reportedly failed to heed an alert warning that malware was detected on its systems shortly before its massive breach that compromised 40 million credit and debit cards as well as personal information about some 70 million customers (see: Did Target Ignore Security Warning?).
The alleged failure at Target is a classic example of overload, Lloyd says. "We can build a great many sensors, but when we do, we just get a great many alerts - far too many for the human defenders to process."
Organizations looking to improve breach detection need to establish a collection management process, which includes identifying the key threats for which they want to track indicators, says McCann, the consultant. "With all of the data at their fingertips, most people are not prioritizing," he says.
In addition to identifying their areas of potential vulnerability, organizations should consider whether there are time periods when they're most susceptible to a cyber-attack. "A Friday before a long holiday, [for instance], could be typical for a botnet attack," McCann says. "From there, you build out your intelligence gathering requirements based on that."
Once an organization has determined its key threat mitigation priorities, it needs to devise an efficient method for analyzing the massive amount of data it collects when looking for indicators of those threats. Doing that manually is nearly impossible, McCann says. "What we need to do is analyze all the data not for a key footprint of a specific piece of malware, but the indications that the precursors or indicators of a [breach] event may be occurring."
Predictive threat analytics tools can help with that process, says Lloyd at RedSeal. This technology enables an organization to figure out what a potential attack would look like and where the main defensive gaps are. "This helps with speed of response," he says.
But visibility isn't only about "collecting logs and capturing packets," Chuvakin says. "Visibility is also the human and operational side." And that involves not only watching alerts, but actively exploring the collected data and networks for anomalies - a practice Chuvakin refers to as "code hunting."
In combing through data from the network and endpoints, organizations need to ask several questions, says Bob Shaker, senior incident response manager at security vendor Symantec. Those questions include: Is this adversary data relevant to me? And what indicators should I really be looking for?
Organizations typically spend too much time either developing security strategies or putting out fires, Shaker says. "They don't [take] the time to look at [various] data [points] critically and determine that a low-and-slow attack is under way."
Many security tools, such as malware detection technologies and security information and event management systems, can aid in looking for anomalous behavior, Chuvakin says. "[Technologies] can work, but they won't without people who know how to run them, who actually care to go and do it," he adds.
The Target breach, apparently, was an instance where the technologies were in place and working, but a gap in operations and staffing may have led to the compromise. "The process breakdown that happened there is nightmarish," Chuvakin says. "That points to the fact that process improvements and dedicated personnel is where most of the breakdowns are."
Understanding the Network
Another key to detecting breaches more quickly is to know precisely where sensitive data is located on networks and then monitor for unauthorized access, Chuvakin says.
Security leaders need to become "obsessed" about knowing their network better than the cyber-attacker, he suggests. "I've seen examples where an attacker comes in and knows where the sensitive data is better than the defenders. To me that's insane."
To make it easier to determine where sensitive data is located, organizations should map out their network and identify the critical areas that matter most, Lloyd at RedSeal says. Using network segmentation, organizations should isolate their critical assets into a separate zone on the network that can be monitored more closely. "This makes the breach detection problem far, far easier," he says. "Instead of monitoring all the [data] up and down the network, you can monitor just a key location, or set of locations."
Another key step is sharing cyberthreat intelligence with others to help detect possible incidents, says Al Pascual, director of fraud and security at Javelin Strategy and Research. "Businesses are most likely to identify a breach after being notified by a third party," he says. "Rather than waiting, working more closely through a trusted [information sharing] platform or intermediary could significantly hasten detection."
Organizations should also comb the Internet and the underground criminal forums for evidence that company data and customer information is being bought, sold or traded, Pascual says. "Breaches typically start outside of an organization and that is where the data eventually ends up," he says. "So it only makes sense to look in those dark corners of the Web where cybercriminals lurk to determine whether or not your organization has been breached."