This ESG Solution Showcase was commissioned by Arbor Networks and is distributed under license from ESG. © 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Overview
All aspects of strong cybersecurity grow more difficult on an annual basis. For example, ESG research indicates that 79% of security professionals working at enterprise organizations (i.e., more than 1,000 employees) believe that network security has become more difficult than it was two years ago.1 Similarly, 80% of enterprise security professionals believe that endpoint security management and operations is more difficult today than it was in the past.2
Why is cybersecurity becoming more problematic? Security professionals were asked this question with regard to network security and their responses demonstrate a consistent pattern (see Figure 1).3 Infosec difficulties seem to be a function of:
• The increasingly dangerous threat landscape. Thirty-‐eight percent of security professionals say that network security is getting harder due to an increase in sophisticated malware designed to circumvent traditional network security controls, while 32% point to an increase in targeted attacks. This data portrays the realities of the threat landscape: Cyber-‐adversaries (i.e., nation states, cybercriminals, hacktivists, etc.) are expanding and are more organized, specialized, and cooperative than in the past. As a result, hackers are better at attacking organizations with customized malware designed to avoid security controls while staying “under-‐the-‐radar” of security monitoring and analysis tools.
• Growing IT complexity. More than one-‐third (36%) of security professionals believe that network security is getting more difficult because of an increase in the number of overall devices with access to the network; 29% point to more mobile devices with access to the network; and 25% claim that network security challenges are related to more users with access to the network. This indicates a fundamental problem: While the threat landscape grows
1 Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014. 2 Source: ESG Research Report, The Endpoint Security Paradox, January 2015. 3 Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014.
ESG Solution Showcase
Enterprise Organizations Need to Prepare for Cyber-‐attack ‘Hunting’ Date: May 2015 Author: Jon Oltsik, Senior Principal Analyst
Abstract: Ask any cybersecurity professional and she’ll tell you that her job is getting increasingly difficult. Why? Most will point to a combination of the dangerous threat landscape, IT complexity, and their overwhelming workload. These issues are driving a major transition in enterprise security. Large organizations must move beyond a threat prevention mentality to become proactive cyber-‐attack “hunters” that constantly monitor their networks for signs of trouble. This shift to proactive hunting will require new technologies that collect, process, and analyze massive amounts of security data, offer intelligent security analytics for real-‐time incident detection, integrate threat intelligence to align suspicious internal activities with external threats, and provide analysts with the right data analytics features to query and manipulate data for historical investigations.
Solution Showcase: Enterprise Organizations Need to Prepare for Cyber-‐attack ‘Hunting’ 2
© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
more dangerous, the attack surface continues to increase. Thus security professionals are forced to extend their defenses across growing numbers of users, systems, and network traffic on a continual basis. At the same time, many organizations lack the right security skills to keep up. In fact, recent ESG research indicates that 28% of IT professionals claim their organizations have a problematic shortage of cybersecurity skills.4
FIGURE 1. Why Network Security Is More Difficult Compared with Two Years Ago
Source: Enterprise Strategy Group, 2015.
Unfortunately, the imbalance between cyber-‐adversary offensive tactics, techniques, and procedures (TTPs) and typical defensive countermeasures carries severe ramifications. Previously conducted ESG research indicates that in 2013, 49% of enterprise organizations reported having experienced malware attacks that compromised IT systems over the previous two
4 Source: ESG Research Report, 2015 IT Spending Intentions Survey, February 2015.
12%
15%
17%
21%
23%
25%
25%
29%
32%
36%
38%
0% 5% 10% 15% 20% 25% 30% 35% 40%
My organizaLon lacks the right level of cybersecurity knowledge and skills
My organizaLon’s IT security department is understaffed
An increase in the “rogue” use of cloud compuLng services by employees and other users with legiLmate access to the
network
An increase in the use of cloud compuLng services for corporate use
An increase in network traffic
An increase in malware volume
An increase in the number of users with access to the network
An increase in the number of mobile devices accessing the network
An increase in the number of targeted aYacks that may circumvent tradiLonal network security controls
An increase in the number of overall devices with access to the network
An increase in sophisLcated malware designed to circumvent tradiLonal network security controls
In your opinion, which of the following factors have made network security management and operaMons more difficult? (Percent of respondents, N=313, three responses accepted)
Solution Showcase: Enterprise Organizations Need to Prepare for Cyber-‐attack ‘Hunting’ 3
© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
years.5 Of course, compromised systems can lead to expensive data breaches such as those that occurred at organizations such as Anthem, JPMorgan Chase, and Target.
Strong Cybersecurity Demands a ‘Hunter’ Mentality
Enterprise security has been rooted in security best practices like the SANS Critical Security Controls designed to harden the IT infrastructure and thus prevent cyber-‐adversaries from penetrating networks and/or compromising systems. While security controls will always remain a fundamental requirement, organizations must anticipate successful cyber-‐attacks that work around all security defenses.
When prevention fails, security teams depend upon the right processes and technologies for incident detection and response. Regrettably, many organizations have numerous weaknesses in this area as well (see Figure 2).6 For example:
• 29% of organizations report incident detection/response weaknesses with regard to performing forensic analysis to determine the root cause of a problem. This may be related to issues around security data collection and processes, skills deficiencies around security data analytics, or both. Regardless, forensic analysis shortcomings can extend the time necessary for security investigations, which could mean the difference between a benign security event and damaging data breach.
FIGURE 2. Incident Detection and Response Weaknesses
Source: Enterprise Strategy Group, 2015.
5 Source: ESG Research Report, Advanced Malware Detection and Prevention Trends, September 2013. 6 Source: Ibid.
13%
20%
25%
25%
26%
27%
28%
29%
0% 5% 10% 15% 20% 25% 30% 35%
Taking acLon to minimize the impact of an aYack
Understanding the impact and/or scope of a security incident
Gathering the right data for accurate situaLonal awareness
Altering security controls to prevent future similar types of malware aYacks
Determining which assets, if any, remain vulnerable to a similar type of aYack
Analyzing security intelligence to detect security incidents
Using retrospecLve remediaLon to determine the scope of outbreaks, contain them and remediate malware
Performing forensic analysis to determine the root cause of the problem
Please consider this list of incident detecMon/response tasks. Which three are your organizaMon’ biggest areas of weakness (i.e., which are you worst at)? (Percent of
respondents, N=315, three responses accepted)
Solution Showcase: Enterprise Organizations Need to Prepare for Cyber-‐attack ‘Hunting’ 4
© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
• 28% of organizations report incident detection/response weaknesses with regard to using retrospective remediation to determine the scope of outbreaks, contain them, and remediate malware. In this case, “retrospective remediation” refers to the ability to review system/network behavior over extended timeframes to identify when problems originated and what subsequent actions were taken by compromised systems. A weakness in this area may result in incomplete remediation where the initial compromised system is reimaged but other phases of an attack continue unabated.
• 27% of organizations report incident detection/response weaknesses with regard to analyzing security intelligence to detect security incidents. In this case, SOC staff and security analysts struggle to align suspicious internal activities with intelligence about what’s happening “in the wild.” This problem could leave organizations vulnerable when they miss threat intelligence signals that may be used for triggering proactive risk remediation.
It’s likely that many organizations have weaknesses in several of these areas, creating a force multiplier effect. If the security team struggles with forensic investigations and analyzing threat intelligence, the cumulative impact can result in incident detection/response inefficiencies, increased risk, and data breaches.
SIEM to the Rescue?
Many organizations use a security information and event management system for incident detection and response, but SIEM alone may not be sufficient for modern malware threats and sophisticated that actors. This is because:
• SIEM is designed with data l imitat ions. SIEM systems collect, filter, normalize, and correlate log events, typically from perimeter security and networking devices. While log data is useful for security investigations, modern security investigations leverage other data sources like network flow data, full-‐packet capture, and threat intelligence feeds. Furthermore, security investigations often need access to security data in its original format—especially for historical investigations spanning lengthy timeframes.
• SIEM is based upon correlat ion rules rather than asymmetric security invest igat ions. SIEM can process events and generate alerts based upon preconfigured rules. This may be helpful for basic attack detection, but security investigations start with alerts and then quickly proceed into asymmetric queries that pivot across a multitude of heterogeneous data. In emergency situations, security analysts need to be able to execute complex queries quickly. Unfortunately, many SIEM platforms were not designed for interactive decision support queries and may take minutes or hours to churn through multiple data sets to deliver any results. This lag time is simply unacceptable.
• SIEM can be diff icult to use. SIEM platforms tend to need constant care and feeding, custom coding, and even expensive professional services. This adds time and cost to SIEM provisioning and operations.
New Requirements and Best Practices for Incident Detection and Response
In spite of their inherent weaknesses, SIEM platforms can still be part of a holistic security analytics solution for incident detection and response. To supplement SIEM, security analysts also need purpose-‐built “hunting” tools that:
• Are instrumented for rapid threat detect ion. Analytics must be designed to baseline trends and provide machine learning algorithms and looping functions to quickly spot any anomalies. Superior security analytics systems will also include strong visual analytics to help the security team accelerate security analysis and investigations.
• Collect and process var ious types of data. Organizations need to collect, process, and analyze a myriad of internal and external security data sources including host logs, network flows, full IP packet capture (PCAP), and
Solution Showcase: Enterprise Organizations Need to Prepare for Cyber-‐attack ‘Hunting’ 5
© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
threat intelligence feeds. The SIEM perimeter security focus should be supplemented with internal data including host-‐based activities, full-‐packet capture data, and threat intelligence feeds. Raw security data should also be enriched based upon things like the value of an IT asset or the presence of multiple concurrent anomalies. Finally, security data must be universally accessible so that analysts can pivot across data sets, connect individual activities into attack patterns, and quickly determine the root cause of a security incident.
• Inc lude bui lt-‐ in security intel l igence. Hunting tools should be instrumented with canned algorithms like machine learning for threat detection, risk scoring, and prioritizing response activities. For example, some hunting platforms provide campaign intelligence, which monitors internal activities and compares them with the indications of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with specific cyber-‐attack patterns. This capability could be especially useful for detecting and responding to industry-‐specific attacks such as the memory-‐scraping malware used to steal credit card numbers at Target. Armed with campaign intelligence, hunting platforms can monitor POS system behavior, look for specific IoCs/TTPs, and use campaign intelligence to detect and respond to attacks before a data breach occurs.
• Feature ease of use. Hunting tools must go beyond powerful analytics capabilities by offering cradle-‐to-‐grave ease of use. This means that hunting tools must be easy to install while delivering value as soon as they gather a complete view of the network. Hunting tools must also work well out of the box, without requiring months of custom coding. Most importantly, security analysts should be able to take advantage of security analytics and hunting tools immediately, without lengthy training classes.
Enter Arbor Networks
Security analysts tend to rely on a potpourri of tools like SIEM, open source tools, and Excel pivot tables for security investigations. However, given today’s threat landscape, individual tools and each analyst’s personal methodology are no longer enough. To address modern threats, security analysts really need purpose-‐built hunting tools offering rapid threat detection, the collection and processing of various data types, built-‐in security intelligence, and ease of use.
Arbor Networks offers a security analytics system that aligns well with the requirements outlined. Arbor Networks Security Analytics is really built to help security analysts find and confirm targeted attacks quickly by offering:
• Real-‐t ime attack detect ion. Arbor Networks provides the infrastructure and baked-‐in security analytics to capture data and monitor security in real time. This is especially important for protecting critical business systems and sensitive data.
• Comprehensive analys is for historical invest igat ions. Arbor’s security analytics system is designed on top of full-‐packet capture for collecting, processing, and storing network traffic. This gives analysts the ability to pivot across disparate data and create an attack timeline to piece together each phase of an attack from the initial compromise, through lateral movement, and so on.
• Visual izat ion and a useful UI . Arbor designed its system with security analyst tasks and workflow in mind. To that end, Arbor Networks Security Analytics enables analysts to zoom in on single events and pivot from event to event to get a real-‐time view of attack trends. The SOC team can also use Arbor’s accessible packet decoding to better understand the tactics, techniques, and procedures (TTPs) of attacks and cyber-‐adversaries.
• High f idel ity ATLAS intel l igence. ATLAS is Arbor’s crown jewels of real-‐time global attack intelligence gathered from the Arbor network provider and enterprise base around the world. With this vantage point, Arbor actually sees more than one-‐third of all Internet traffic and then refines raw Internet packets into unique indicators of attack and
Solution Showcase: Enterprise Organizations Need to Prepare for Cyber-‐attack ‘Hunting’ 6
© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
TTPs. These intelligence feeds are integrated with security analytics to correlate detailed information on hosts and connections with attack patterns for fast confirmation and containment of threats.
• User-‐defined, custom intel l igence. Arbor allows users to add their own custom intelligence or define specific rule sets for organizational or industry context. This can help them fine-‐tune their hunting abilities.
• Looping. Arbor can store data for a period of time for historical investigations for retrospective intelligence. When new threat intelligence indicates a dormant attack that may have been previously classified as benign, Arbor can be used to compare new threat intelligence with historical data to help security analysts uncover stealthy hacking patterns as well as “low-‐and-‐slow” attacks.
Aside from its functionality, Arbor Networks can be deployed quickly on-‐premises or in the cloud and start monitoring the network soon afterward—in less than two hours in some cases. Arbor Networks is also designed for visual analytics with an interface that can help experienced analysts streamline investigations while making junior security staff more productive.
Arbor Networks Security Analytics is not exactly a household infosec brand, but Arbor Networks has a strong cybersecurity reputation as an industry leader for DDoS prevention and remediation. Based upon its information security reputation and its Arbor Networks Security Analytics, CISOs would be wise to reach out to Arbor Networks and assess how its “hunting” tool aligns with their organization’s security requirements.
The Bigger Truth
CISOs face unprecedented challenges. Even if they successfully harden the network, implement strong security controls, and continuously follow security best practices, their organizations will still suffer a security breach sooner or later. This reality is forcing a philosophical change with security teams transitioning from passive emergency responders to proactive cybersecurity attack hunters.
Of course, this change isn’t easy. Security analysts are in short supply so it is difficult to recruit and hire new staff members. Furthermore, existing security analysts are often overworked as they plough through dozens of active investigations using open source tools, SIEM, spreadsheets, and gumshoe-‐like manual processes. While these efforts are heroic, they are also inefficient.
The facts are clear: Organizations need purpose-‐built “hunting” tools that can help the SOC team work smarter, not harder. These tools must collect, process, and analyze massive amounts of security data. They must include intelligent algorithms that help the security team detect anomalies and pinpoint problems. They must maintain data sets that let the SOC team review attacks over extended timeframes. Finally, “hunting” tools must be designed for ease of use with rapid deployment for near-‐term time to value and visual analytics to aid in security analyst cognition.
While there are many security offerings in this area, CISOs should cast a wide net and take ample time for due diligence including researching technologies and putting all potential “hunting” tools through a proof-‐of-‐concept phase. It’s important to have experienced security analysts involved in this process so they can assess the usability of each tool and decide whether each “hunting” tool can make them—and the entire security organization—more productive, efficient, and effective.
Solution Showcase: Enterprise Organizations Need to Prepare for Cyber-‐attack ‘Hunting’ 7
© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-‐copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
www.esg-‐global.com contact@esg-‐global.com P. 508.482.0188
Enterprise Strategy Group is an integrated IT research, analysis, and strategy firm that is world renowned for providing actionable insight and intelligence to the global IT community.
© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.