Improving the Lifecycle of Threat Defense Effectiveness
When a new security tool or technique is released, Version 1.0 is usually pretty effective, and successive versions get even better with real-world scenarios and user feedback. Eventually, the bad guys realize that this new thing is causing them real problems, so they start looking for ways over, around, or through it. They conduct experiments, find vulnerabilities, develop evasion techniques and exploits, and the new thing’s effectiveness gradually declines.
Talking with McAfee thought leaders, we developed a list of hard-to-solve problems that together shorten the threat defense effectiveness lifecycle. When we fix these problems, we will lengthen the lifecycle. The hard-to-solve problems, along with early industry efforts to fix them, are detailed in the McAfee Labs 2017 Threat Predictions report. These problems cannot be solved with a patch or a new security tool. They need foundational research, lots of development, and a collaborative effort throughout the security industry.
Unlike during many conflicts, cybercriminals have far more information about our security techniques and defenses than we have about their attacks. They can test against security products and real-world defenses without consequences, and we cannot see most of what they are doing. If we share more information with each other about what we learn, we can build more complete attack pictures, identify potential weaknesses in our technologies, and work quickly to adapt and improve. Because money is the prime motivator for most attacks, anything we can do to make attacks less profitable, increase the likelihood of consequences, and support law enforcement activities will help.
Attacks are often not discovered until long after data has been stolen. Shadow IT, multiple cloud types, personal devices, and the disappearing network perimeter have made it more difficult for security operations to know what is where. As a result, the trend is away from absolute protection and toward informed risk management. Tools that identify and classify data, monitor its movement, and encrypt it or block its path are needed to identify and modify risky behavior, and build a clearer risk profile.
Exploitation of legitimacy
For all the talk of sophisticated hackers and complex exploits, legitimate credentials stolen through phishing and other social engineering attacks that target human vulnerabilities is the tool of choice for many cybercriminals. Telling the difference between valid and suspicious activity on a legitimate account is very difficult. Behavioral analysis to detect suspicious activity is a good start, but we need to move to a transactional model that evaluates the potential intent of individual actions and data movements. One possibility is the addition of user reputation information to behavioral analysis. This is a very delicate issue that might involve attributes such as job role, tendency to reuse passwords, typical working hours and locations, and even details from HR databases to determine whether a suspicious action is malicious.
Finally, new device types with little memory or computing capacity, a proliferation of limited-scope operating systems, and devices that cannot be updated are moving security away from the traditional agent-based approach to protection. Chips will need enhanced hardware-level security and trusted execution environments, supported by elastic cloud-based behavioral analysis and threat processing, and informed by large networks of shared threat intelligence.
Cybersecurity has some pretty big problems, but collaborative efforts between security vendors, law enforcement organizations, and affected companies will help lengthen the threat defense effectiveness lifecycle.
To read the full details about these and other hard-to-solve problems and early efforts by the security industry to resolve them, download the McAfee Labs 2017 Threats Predictions report.