Everyone is curious about your IT systems. They are being probed, prodded and profiled by people on the Internet all the time, which creates lots of traffic. Many of these events metastasize into incidents that may generate concern, and cause an alert. There can be hundreds or thousands of them each day, and your team’s resources are finite. How can you decide which ones are worth worrying about?
15 years ago, security professionals wanted to see as many alerts as they could, argued Ajay Sood, general manager for FireEye Canada and a SecTor speaker. Things have changed since then, he has suggested.
“We were getting more alerts, and products were almost judged by the number of alerts that they would generate,” he said.
Today, it’s more difficult than ever to find the needle in the cybersecurity haystack, argued Sood. “Today you may have those more precious alerts happening that are blended into 10,000 other alerts. People are having a very difficult time trying to assess that.”
If anyone knows about missed warnings, it’s FireEye. In March 2014, a large US retailer confirmed in the press that it had chosen to ignore warnings that came from FireEye’s systems.
“They had FireEye technologies in their environment six months before they got breached and they were all screaming at the ocean about what was going on but the reality is that they didn’t have the response capability to triage those alerts,” he said.
“It was a tree lost in the forest,” he said, adding that situations like these are nothing special. Most firms only have the capability to investigate a hundred events each day, yet they are seeing far more than that on their network.
“What they were able to do subsequently to the breach was build a protocol by which they could differentiate an advanced attack from a commodity attack,” he said.
Companies must draw on multiple data sources to identify the most serious threats, he asserts, adding that log events are just one part of the puzzle. He points to ‘tools, tactics and procedures’ (TTP) as key pieces of information to help deduce a random drive-by attack from a concerted effort to steal targeted data.
Independently, incidents on three disparate lines in your logs might not mean much, he said. But if those three are attributed to a specific cybercrime unit in the People’s Liberation Army that is already well-understood, then you can be forewarned. “Then you know their tools, techniques and practice. You know what and who you’re up against and the the particular types of data that these people broker.”
FireEye is trying to sell us its threat intelligence service here, which like many such systems monitors different types of adversary groups and how they work. This, fed into an analytics engine with log data, will identify and score particular chains of events and hopefully foreground the ones you should be most worried about. It will also scoop up behavioural information from inside the company to spot insider threats or the use of stolen credentials.
A probabilistic approach to security threats
What’s interesting here is the move away from deterministic threat spotting to a more probabilistic system of alerts. So much is happening on today’s networks, and adversary groups and attacks are evolving so quickly, that it can be difficult to use static sets of signatures to spot the most dangerous threats among the noise.
Sood believes that armed with this kind of data from specific attacks, he could then go into other companies in the same industry and run a historical analysis on their logs to see if any red flags come up, thus identifying attackers who may well still be lurking in their networks.
This utopian view of security analytics relies on a few things to work. Companies must be mature enough to install this kind of system in the first place, outputting log data from their various systems comprehensively enough that FireEye’s systems can aggregate it.
The attackers must presumably keep doing what they’re doing. For now, that’s happening. Advanced Persistent Threats are typically not that advanced. Attackers use the same old tools to infiltrate companies because they work. But what if they start morphing their TTPs consistently and become more creative? How will the threat intelligence hold up then?
“Sometimes it doesn’t. We all have to assess the inevitability of failure,” Sood admits. “I am fully willing to admit that all the intelligence in the world, just like all the tools in the world you have at your disposal cannot hold up against a sponsored nation-state activity. What will differentiate your outcome is your response capability.”
Here’, he’s talking about your ability to react in an agile way to those attacks, activating your incident response team, quarantining the right machines, and containing and eradicating the threat. that will set you aside from the rest, he asserts.
Of course, that all assumes that you’re going to know you’ve been hit in the first place. If one thing seems clear from this new, probabilistic world, it’s that nothing is certain.