Amongst a maze of products and services, IT and security teams are trying to navigate their way through the cyber security marketplace. However, it is evident that most are wildly lost amongst the new buzzwords and mixed messaging. The result is that “safe” brands are being preferred, and traditional, better-understood approaches are re-adopted – despite their growing inadequacies.
What are businesses doing?
The efficacy of using compliance standards as a gauge of protection is increasingly being called into question, which helps to explain why the vast majority of organizations are spending more on security. Perimeter-based controls, such as firewalls, anti-virus and IDS/IPS have been highlighted as priority areas. However, the number of breaches is still increasing, with roughly 30% of organizations across various surveys saying that their perimeter security had been breached in the past 12 months. Indeed, the focus on perimeter security technologies may well be to blame for detection times falling far behind the swift timescales of attackers[1].
Why is this not working?
The security industry remains largely to blame – complexity remains the top barrier to more aggressive adoption of data security solutions. As a result, endpoint security ranks as the lowest perceived area of effectiveness at protecting sensitive data, while network-based technologies rank the highest. However, as seen in the MITRE ATT&CK Matrix[2], the vast majority of attacker TTPs occur on endpoints, with network-based activity coming far later (in many cases too late) in the kill chain. Further to this, attackers are increasingly adopting more modern TTPs – the use of unique malware families is growing, as is the use of sandbox-aware, in-memory, and kernel-based malware.
What should businesses be doing?
The focus needs to shift towards a solution that is capable of monitoring across modern attacker TTPs. This, by nature, primarily requires an advanced endpoint detection and response (EDR) solution, coupled with network and log analysis, in order to gain absolute visibility of malicious movement across your estate.
However, technology alone will only get you so far, as hackers are, by definition, professionals at finding flaws in technology. As a result, the tools mentioned above must be managed by a highly capable threat hunting team, able to proactively hunt for signs of compromise and investigate specific activity which may/may not be malicious. While threat hunting is still a maturing approach within the cyber security industry, a survey earlier in the year found that 91% of organizations that conducted threat hunting experienced improvements in speed and accuracy of response[3].
The blurry picture…
“Attackers are always evolving.” While this may be one of the most commonly used phrases in security, it is clear that businesses are struggling to adapt accordingly, albeit through very little fault of their own. Hopefully, this article provides a steer in the “right” direction, not into the labyrinthine muddle of perimeter security products, but towards the more modern cyber security solution – endpoint, network and log analysis with true threat hunting.
[1] Time from gaining a foothold to achieving objectives.
[2] MITRE ATT&CK Matrix
[3] The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey
Categories