In today’s world of cybersecurity, it often feels like the good guys are losing. New research by the Ponemon Institute shows that the average enterprise only has resources to investigate 4% of the security alerts it receives every week. The same research finds that more than one third of cyber exploits go undetected, successfully evading antivirus and intrusion-prevention systems.
The reality is that security practices can no longer wait for their endpoint-security tools to tell them something is wrong. Many are adopting a more aggressive approach to threat management, but this requires new tools and skills that challenge security teams already stretched thin. How are they doing? With the generous support of GoSecure, we asked 10 security experts the following question:
What advice, best practices, and cautions can you offer SOC leaders who want to upgrade their security capabilities to become more proactive?
We spoke to security experts in different cyber environments and at different stages in their use of active endpoint-security techniques. They talked about the inadequacy of traditional defenses and their experiences with new approaches—including predictive analytics and machine learning—and they discussed skills needed to apply these new technologies successfully. What I see in these essays, in addition to a lot of practical advice, is the emergence of a rich new generation of security tools and practices that may give security practitioners an upper hand.
Quick Response is the Key
In recognizing the failure of signature-based security to protect against many modern attacks, Hemanta Swain, senior director and information security officer at TiVO, focuses on two key elements in his security strategy:
- Protecting data—This involves managing access to data and protecting it wherever it resides. An important part of this is protecting any data that is located on an endpoint. “Encryption is key,” Swain says. “You have to encrypt data where you store it, when you access it, and when you are moving it. You have to encrypt communications, and you have to keep encryption on your endpoint for any data that may be stored locally.”
- Active security at the endpoint—This includes protecting endpoints with new EDR tools that monitor activity, monitor memory, and have whitelisting and blacklisting capabilities. This is especially important in hybrid environments where some critical resources are stored in the cloud. “In the cloud computing world, some key resources are moving to the cloud, and SaaS vendors become responsible for the security posture of that service. But when users access that data on their endpoint devices, those devices must be protected.”
Active Threat Management Requires New Tools and Skills
One of the most compelling reasons for adopting a more active approach to threat management is that attacks have become far too sophisticated for traditional “set and forget” perimeter and endpoint defense strategies. “Traditional antivirus, and to some degree firewalls, work using known parameters or signatures. They are not as effective against attacks that have never been seen before. Traditional antivirus solutions can’t react quickly enough against new variants or threats,” says Jason Kinder, director of corporate security at Leonardo DRS.
This does not mean it’s time to throw away the traditional antivirus solutions. “I wouldn’t tell anybody to dump their traditional antivirus software,” says Kinder. “It still plays an important role in the overall security architecture.” But threats that use multiple attack vectors and newly generated variants are specifically designed to bypass traditional defenses, which is why organizations need to engage in more aggressive threat-hunting strategies.
Doing this successfully requires adopting new tools and developing new skills within the security team. Tools need to be able to monitor and analyze what is happening on endpoints, including what applications are doing and how memory is being accessed. “Having the proper tools is important, because without the tools, you’re not going to have the visibility,” says Kinder, noting that visibility and analytical capability are key to earlier detection.
Endpoints Are Part of One Giant, Integrated System
To secure the collaborative IT environment that’s needed in a university setting, Joseph Smith, interim director of IT at the University of Maryland Eastern Shore, oversees a defense in-depth strategy that includes traditional perimeter-type defenses, limits functionality at user endpoints, and performs behavior analytics across the system. “The objective is to observe, catch unusual behaviors as fast as possible, and perform threat analysis based on the possible that could occur,” says Smith. Given the unlimited time and resources available to determined attackers, Smith believes a proactive security strategy is the better approach against an enemy that has a builtin advantage.
The number of pervasive cyberthreats is growing larger with each passing week, which can leave SOC leaders and security professionals feeling overwhelmed. So what can these professionals do to feel more at ease in their security policies?
In this e-book, hear from 10 IT security experts, including directors and C-level executives, on active threat management and data protection, and learn how you can better predict, prevent and detect modern attacks at the endpoint.
Broaden the Analytical Skills within Your SOC
F or Katrina Biscay, a director of information security and manager of incident response at the University of Cincinnati, a layered approach to security remains the best strategy in an increasingly dangerous cyber environment. “Unfortunately things like fileless malware and polymorphic malware are not new, but a lot of organizations have lacked preparedness,” she says. “Now it’s costing the organization, from ransomware and the fees and recovery costs associated with that, to reputation impact, and compliance fees and reporting guidelines which are much stricter now than they ever were before.”
- Many companies run behavior-analysis tools with out-of-the-box settings. You need to start out of the box, then you fine-tune it to your environment and your baseline.
- An established SOC has many of the necessary skills in place, but it needs to adjust its focus so that analysts understand not only what the malware is doing, but also its impact on the business.
To read full download the whitepaper:
10 Experts on Active Threat Management