Most security organizations have historically been focused on the prevention portion of the prevent-detect-correct threat defense lifecycle. The proliferation of some high-profile security breaches in the past few years, however, has demonstrated the weakness in that strategy.
Cracks exist in even the most formidable security defenses. Attackers have become ever more sophisticated and persistent. And employees continue to make bad decisions that expose their organizations to breaches.
In many of the attacks we’ve seen this year, once the attackers get a foothold, they can move freely with little chance of detection. That’s because companies have put most of their efforts into prevention. Sooner or later, a sustainable security operations system will require a balanced emphasis on detection and correction to accompany prevention efforts.
This shift is about a mindset. Security in this new age is no longer about building a moat and a castle wall and then ensuring compliance. It’s now about putting in place a sustainable, proactive approach to ensure that your enterprise can adapt intelligently and quickly as new forms of threat are identified.
Using continuous monitoring techniques can help you improve security operations by proactively spotting abnormal network activity or user behavior aimed at exfiltrating your organization’s digital crown jewels. Here’s one snapshot of how daunting this needle-in-the-haystack challenge can be: We recently worked with a large healthcare agency whose security information and event management (SIEM) system was processing more than 700 events per second – about 17 million each day – from more than 50,000 endpoints. The agency’s ability to filter out the noise, detecting and validating relevant attacks, was very limited. Triage, evidence collection, and forensic analysis were all manual and reactive.
Attackers are drawn to these types of environments. They will take advantage of poorly architected networks with no segmentation, moving laterally across an IT system (pivoting) and using poorly configured/patched systems (elevation of privileges), as well as synchronization of local admin accounts and well-known techniques such as pass-the-hash or pass-the-token attacks.
They can then enlist standard system administration tools such as Microsoft PowerShell, and other sysadmin tools such as Windows Sysinternals, to disguise their network snooping. This type of pervasive activity can go on for months, or years, with the targeted organization none the wiser.
This is why it becomes imperative to establish a baseline view of what “normal” information flows look like in your IT environment. You need to understand normal so that you can begin to prioritize activities that appear to be most outside the norm. Focus on the critical assets in your IT systems:
- Create a list of prioritized defended assets:
- Domain controllers, exchange servers, network infrastructure devices
- Internal databases and web servers
- External-facing data-providing services
- Associate pre-approved incident response actions with them:
- Blocking ports
- Blackhole traffic
- Disable accounts
- Isolate the system
- Scan for vulnerabilities, etc.
Continuous monitoring gives you insight into the data flows in your enterprise – the “how” of things happening in your IT environment, not just the “who.” A good continuous monitoring program includes collection and analysis of data from which indicators of attack and indicators of compromise can be extracted from various sources, such as:
- Browsing patterns
- DNS logs
- Netflow traffic
- Services and processes running on servers and workstations
By adopting an optimized continuous monitoring approach, you assume your organization will be compromised – or has been already. Your focus then shifts from compliance-driven prevention to one of actively seeking out and countering threats to your most valuable digital resources.
What’s involved in this approach? SIEM solutions that were previously buried under millions, or billions, of external alerts and events can be fine-tuned to ingest logs that are meaningful in detecting suspicious internal activity. Organizations can also deploy tools such as internal honeypots and use other attacker deception techniques like honey tokens as early warning systems, alerting when the attacker is already in.
A good defense starts with a solid foundation; in this case, a solid network architecture. By properly segmenting your network, for example, you can concentrate your security defenses and monitoring around the areas that contain your most valuable digital resources. This makes it harder for the attackers to accomplish their goal as they move laterally to find access to the crown jewels, increasing the chances for prevention and detection via ingress and egress filtering.
Your goal is not to prevent all compromises, but to prevent the attacker from being successful. In the end, time becomes your ultimate enemy and speed your weapon. You need to compress dwell times in detection and remediation.
Achieving speed in continuous monitoring comes down to:
- In-house capabilities (a custom combination of people + process + tools)
- Incident response automation
- Rehearse, rehearse, rehearse
- Logical segmentation of:
- Managed from unmanaged devices
- Different levels of trust
- Sensitive data from nonsensitive data
- Devices that access sensitive data from those that don’t
- Wireless vs. wired
When you understand where your crown jewels are and how they should be accessed, you are better prepared for segmentation.
Moving from passive prevention and detection to proactive defense not only makes your enterprise better prepared for the inevitable breach, it improves your operational maturity by giving you visibility into normal vs. abnormal activity, minimizing the noise in your SIEM monitoring. And it helps your enterprise by:
- Improving skills and team building
- Achieving faster reaction to attacks
- Gaining better visibility of network and endpoint security