By Carolyn Crandall, Attivo CMO
“A security solution is only as good as the weakest link” is one of those hackneyed phrases that keep popping up because it’s true. As the cyber attacks become increasingly sophisticated and numerous, the number of potential weak links also grows.
Weak links can span core parts of the security solution or areas peripheral to it. A core issue might be a firewall that the IT and security team deployed to protect a database, but is not equipped to block application-level attacks such as SQL injections. A peripheral issue might include basic user errors, such as using overly simplistic passwords or connecting a BYOD device that lacks the organization’s security solutions.
Among the many issues that IT and security teams run into as they try to keep up, below we discuss the three that tend to pop up most often.
Maintenance – At a large organization, there are endless details and maintenance updates required to keep comprehensive security solution up-to-date. The IT and security team may be continuously upgrading these components to keep up-to-date with the most current APTs and BOTS. However, failure to address just a few areas at the time a new cyber attack occurs on that area can result in a breach that is undetected. This is exponentially compounded by reliance on human behavior to update, human error, and in many case simply because the attack is that of a new strain where as signatures or patches are not readily available.
Failure to Deploy Defense in Depth – No one security solution can protect an enterprise today. The threat of sophisticated cyber attacks calls for an equally sophisticated system of defense. A comprehensive defense infrastructure includes protection and detection and is comprised of four key elements that include firewalls/IDSs/IPSs, sandboxes, breach detection solutions, and virus scan applications. IT and security teams must continuously be on the search for improved capabilities for each of these four elements. Of course, each element must fit the specific architecture of the network, needs of the users, and ability to scale all network private and cloud environments.
The Right Solution But the Wrong Technology – IT and security teams may deploy the right type of solution, but select a product with out-of-date or less effective technology. This is especially true with breach detection solutions. Traditional detection solutions rely on heavy monitoring and database look up. The compute intensity required for managing high traffic networks will also often leave data centers exposed as a result of cost and/or the overwhelming alert volumes that would be generated while trying to monitor east-west traffic. The most effective of these solutions are deception platforms that are not in-line and instead use deception to lure, identify, analyze, and capture the attack information of APTs and BOTs. Deception solutions will present themselves as decoys to actual company servers and are either based on emulation or real time operating systems.
In an emulation strategy, one or more virtual machines (VMs) emulates an organization’s network, services, and operating systems based on that network’s architecture. The VMs deceive the malware into attacking the emulated environment versus the actual one. The benefits are obvious, but there are downsides.
First, emulation solutions are not active and aren’t able to engage with a cyber attack beyond initial detection, which prevents it from providing the Techniques, Tactics and Procedures (TTP) of the attack to the IT and security team. Emulated systems do not emulate the depth of tools that are used by administrators and used extensively by attackers for lateral movement. Additionally, because emulated solutions don’t fully engage and complete the attack cycle, it can be more easily identifiable by the attacker. Emulated environments are also limited in configurations and will likely standout from real servers when it does not match the “golden image” or environment it is trying to emulate.
Basing the deception strategy on real operating systems that are also running expected protocols or services, on the other hand, has all the advantages and none of the negatives of an emulation strategy. By running real operating systems and customizing services by only turning on applications that are used in an organizations environment, the deception server becomes an authentic decoy that can be virtually indistinguishable from an actual server. The ability for a company to load a “golden image” on the decoy or install custom applications will create an environment with the highest degree of deception. It is critical that the deception platform effectively “fool” the APT or BOT into treating the platform as the actual network.
A question that I am often asked is whether using real operating systems creates additional work or maintenance for security administrators. I am glad to say that this is a myth at least with Attivo Networks solutions. The operating systems and services are all maintained as part of the BOTsink software and can be updated automatically. Noting that some of our customers will intentionally delay the updating of new operating systems or protocols because the older version becomes a more attractive unpatched lure.
There are few unequivocal truths in security strategy. Prevention alone is not a reliable strategy and defense in depth will give you the best odds of detecting an intrusion before it can become a destructive breach. With 12 new attack strains being created per minute in 2015, reliance on monitor for known attack patterns will be an exercise in futility. Last but not least, no matter how on top of things your security team may be, there is always going to be human behavior and errors. Knowing in real-time when an incident occurs and before an attacker can complete their mission should be a critical component of every security defense in depth strategy.