Security focus must move toward data analysis

Outmaneuvered by increasingly sophisticated adversaries, the security industry is intensifying its efforts to gain more visibility from data and behavioral analysis to combat cyberattacks.

With antivirus technology no longer effective, businesses and security vendors must now shift their focus to tools that operate on data and behavioral analysis.

With a security landscape today that is highly complex and sophisticated, organizations are struggling to figure out who's who and provide information access to users who are supposed to have access to that information. This is especially difficult when they are fighting also to keep the bad guys out.

According to RSA President Amit Yoran, most companies do not understand the sophistication and complexity of the threat environment today. Pointing to the recent spate of security breaches, including Ashley Madison's data leak, he added that the most advanced security tools were failing to stop malicious hackers from making off with millions of dollars as well as confidential information and trade secrets.

Speaking during his keynote Wednesday at RSA Asia-Pacific and Japan Conference in Singapore, Yoran noted: "Clearly, the adversaries are outmaneuvering and outgunning the security industry. Once inside the network environment, they can go undetected for months and, in some cases, years.

"The only forward is to change our cybersecurity mindset," he said, stressing that any notion that prevention would keep networks safe would be misguided. "Firewalls, anti-malware tools are all nice to have, but if you believe this will keep sophisticated, focused adversaries out of your environment, you're asleep at the wheel. Prevention won't solve our problem."

Antivirus technology so yesteryear

Citing findings from Verizon 2015 Data Breach Investigations Report, Yoran said less than 1 percent of advanced threat breaches were detected using SIEM (security information and event management systems) systems. This underscored the ineffectiveness of such tools.

He said the industry needed to stop selling perimeter protection as the primary line of defence, which he said was as outdated as selling postage stamps. While he added that such tools were not necessarily bad, they were limited in their ability to detect threats.

CounterTack President and CEO Neal Creighton concurred. Speaking to ZDNet on the sidelines of the conference, he explained that antivirus tools no longer worked effectively against advanced attacks. Because antivirus technology is signature-based, it needs to be aware about the attacks before it can recognize and block them.

Network security vendors such as FireEye often point to the need to move away from signature-based detection, noting that organizations with updated antivirus signatures would still fall prey to APT attacks.

According to Creighton, organizations are starting to focus on improving their endpoint security protection, which need to comprise behavioral analysis including that of attackers and users. This also would provide context, for instance, by looking at what kind of files a potential attacker was browsing through.

CounterTack specializes in providing real-time endpoint detection and response technology, tapping big data to detect threat patterns and anticipate cyberattacks. Last month, it raised another US$15 million in funding from investors that included Singapore's EDBI, which is the corporate investment arm of the country's Economic Development Board.

CounterTack's Sentinel platform looks to enhance network visibility and context based on the behavior of endpoint devices, including laptops and mobile devices.

"It's about quick detection through behavioral analysis and being able to respond and remediate quickly," Creighton said, adding that the company worked closely with the likes of Splunk and HP's ArcSight to extract and analyze relevant data.

RSA's Yoran also underscored the need for "pervasive and true visibility" into the enterprise environment, spanning the endpoint, network, and cloud. This, he said, was necessary to detect advanced adversaries who were stealth by nature and able to bypass traditional defensive measures.

"Many organizations operate with zero ability to detect adversaries and their techniques, so we need true visibility into our enterprise," he said. "What I'm describing is what SIEM should have been [able to provide]. We need to know which systems are communicating with which, and why, their frequencies, volumes, and the content itself. We need to know exactly what's going on. These are fundamental core requirements of modern security programs."

Above all, he noted, organizations need to start believing that even advanced protection measures will fail.

Fellow keynote speaker Ken Allan, who is EY's global cybersecurity leader, echoed similar sentiments: "Accept that bad things will happen and prepare, and train, for them," he said. Noting that the CEO of a global energy company said it battled some 50,000 cyberattacks on a daily basis, Allan added that EY fought off the same number a day.

"Today's attackers are more organized, have significant funding, are patient, and sophisticated. They often gain access and build up an attack over several months," he explained. Citing the consulting firm's Global Information Security Survey, he said 56 percent of respondents revealed it was unlikely or highly unlikely that their organization would be able to detect a sophisticated attack. Between 35 percent and 45 percent said they had "still a lot to improve" across almost every cybersecurity process.

Allan further noted that even if they had the budget to invest in cybersecurity, organizations often did not know what to spend their money on. He urged the need for industry players and stakeholders to collaborate and start sharing information.

That there should be more collaboration within the industry is often called upon, but seldom comes to fruition.

Asked what it would take to drive this, Creighton pointed to the need for a framework that would benefit all parties involved, including the public and private sectors. He acknowledged that there had been "a lot of talking and not a lot of action" with regard to making information sharing actionable.

He explained that the government sector was structured differently and tended to move slower than the private sector. This, though, was starting to improve as governments realized the need to keep pace--after all, they faced the same attackers and threats as the private organizations, he said.

"Yes, perhaps making information-sharing mandatory could help," Creighton said, in response to ZDNet's question. However, he noted, this should involve leading companies in the various sectors, such as the top banks and top vendors across the different security market segments. "If it's too broad, then there's just way too much information and it gets hard to deal with," he added.