There’s a lot of talk in the security industry and among organisations about the threats we face – malware, advanced persistent threats, zero-days, targeted attacks, viruses, Trojans, Distributed Denial of Service attacks, worms, phishing...the list goes on and on. But no matter how you parse it, it all comes down to threats. More specifically, two fundamental types of threats: known and unknown.
Known threats are the threats security tools are designed to detect and protect against. Still, successful attacks by known threats happen and there’s room for improved protection.
Historically static defences quickly lose touch with the environment they’re meant to protect, reducing their effectiveness. Most lack real-time network visibility to be aware of changes to the IT environment and adjust defences accordingly, the ability to detect polymorphic files that change just enough to fool signature engines and the ability to share intelligence with other security tools.
Unknown threats pose an even greater challenge for defenders. These sophisticated threats stealthily evade detections, moving through an environment to reach the target and establishing a beachhead for subsequent attacks. Traditional, point-in-time detection tools, like sandboxing that analyses files in a tightly controlled environment, can mitigate some risk but don’t – and can’t – continue to track files to retrospectively detect, understand and stop threats that initially appear to be safe but later exhibit malicious behaviour.
As an IT security professional, it’s your job to protect against both types of threats. While it is a challenge, it isn’t insurmountable. Three advanced technologies can make intrusion prevention systems (IPS) smarter and malware protection more efficient: contextual awareness, big data analytics and collective security intelligence – all working together.
Contextual Awareness: Today’s extended networks include endpoints, mobile devices, and virtual environments and data centres. Attackers often know more about these networks than the network owners and are using it to their advantage. For security tools to be effective they need complete contextual awareness of the dynamic environment they protect. Consider technologies that offer continuous and total visibility into all devices, applications and users on a network as well as an up-to-the-minute network map, including profiles on client applications, operating systems, mobile devices and network infrastructure – physical and virtual. Smarter security solutions use the data related to your specific environment and automation to help you make more informed and timely security decisions. Visibility into file activity is equally important – knowing file heritage, behaviour, and network trajectory provides additional context, or indicators of compromise, which help to determine malicious intentions, impact and accelerate remediation.
Big Data Analytics: Security has become a big data problem. Technologies that tap into the power of the cloud and sophisticated analytics of large data sets are needed to deliver the insight organisations need to identify more advanced, highly targeted threats. The virtually unlimited, cost-effective storage and processing power of the cloud lets users store and monitor information about unknown and suspicious files across your entire IT environment and beyond. Security tools that use a telemetry model to continuously gather data across the extended network and then leverage big data analytics help to detect and stop malicious behaviour even after a threat has passed through the initial lines of defence. This deeper level of analysis identifies threats based on what the file does, not what it looks like, enabling detection of new unknown types of attacks.
Collective Security Intelligence: To identify more obscured threats, there’s strength in numbers. Individual files shouldn’t be analysed in a vacuum – collective security intelligence enabled by the cloud is required. Look for security technologies that can draw from a widespread community of users to collect millions of file samples and separate benign file and network activity from malicious based on the latest threat intelligence and correlating symptoms of compromise. Going a step further, this collective intelligence can be turned into collective immunity by sharing the latest intelligence and protections across the user base.
Attackers have learned how to find and anticipate gaps in protection and evade detection. Using real-time visibility, big data analysis and community intelligence to connect traditionally disparate technologies is what it will take to defend modern networks against modern attacks. To more effectively protect against known and unknown threats IPS and malware protection, IT professionals must work together, in a continuous fashion, to secure networks, endpoints, virtual machines and mobile devices.
Chris Wood is regional director, A/NZ at Sourcefire, now a part of Cisco.