[BreachExchange] How to use data forensics to secure enterprise networks

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 12 19:55:15 EST 2017


https://www.scmagazine.com/how-to-use-data-forensics-to-
secure-enterprise-networks/article/710052/

The three key stages of the security lifecycle are prevention, detection
and remediation. Why state the obvious? Because something is seriously
skewed in how enterprises currently approach security and in particular,
security spending.

First there is prevention, which includes tools such as antivirus software
and firewalls to keep the enemy at the gates. Detection involves intrusion
recognition systems that identify an attack once it has breached the
network perimeters. Finally, there is remediation. This includes network
forensics that provide information about the “DNA” of an attack and
addresses any impact that an attack may have had on the network.

A losing battle

Unfortunately, many enterprises don't consider remediation an important
strategy in the battle against malware. That is reflected in enterprise
security budgets. According to industry analysts at Gartner, enterprises
spend just over $10 billion on prevention and detection and a little more
than $200 million on remediation. That works out as 50 times more for
prevention and detection than on remediation. Yet, despite this,
enterprises still feel like they are losing the battle against
cybersecurity. Something has got to change.

Often, security failures can be traced back to poor “housekeeping” in the
form of patching, exercising caution with suspicious emails, restricting
privileged user access and so on. However, with each new day malware gets
more complex, diverting further resources and making it harder for IT teams
to keep up. As the State of the Network 2017 survey revealed, 80 percent of
network teams are spending more time on security than ever before.

A big flaw with current prevention measures is that they target known
attack vectors. So, tomorrow's newest piece of malware, ransomware or
zero-day assault packed with new exploits could bypass the prevention and
detection systems of today and carry out a surprise, blistering attack on
the network.

It is time for data forensics

When an adversary is so shadowy, elusive and yet capable of devastating
attacks, organizations need a better approach. Studying the enemy in depth
is the first step.  One approach that is proving very effective is looking
directly to the wire - packet data. Packets contain information that even a
cybercriminal cannot manipulate. Enterprises can conduct analytics of the
packets going over the network to examine the forensics. Think of this as
examining malware with a tamper-proof surveillance or CCTV camera. The
bottom line is: packets never lie and are even admissible in court as
evidence.

This approach places more emphasis on the remediation aspect of the
security lifecycle. Network forensics from packets can reveal incredible
detail about malware. Network forensics enable enterprises to answer the:
who, what, where and when of an attack. Used consistently, rather than
after the event, organizations not only get a bird's eye view of the threat
landscape, but packets allow security teams to troubleshoot, isolate and
identify problems affecting the network - faster. Packets reveal
propagation mechanisms, attack vectors, and type of breach, as well as
showing the exfiltration path of stolen data even when it is encrypted.

By revealing the adversaries' modus operandi, packet forensics arms
security teams with vital intel to prevent attacks. Here are the top five
ways enterprises can use the information gleaned from packets:

1.      Trace the attack: Organizations using packet analysis can trace the
attack back to the first infected computer. Examine how it was compromised
and work from there to gather intelligence to trace the malware. Security
teams can stop it in its tracks if, for instance, they are able to fortify
firewalls and strengthen endpoint security.

2.      Establish parameters: With the intelligence from packets, security
teams can get notifications when SMBs and protocols carry instructions to
delete large quantities of files. This would have been extremely useful
with WannaCry and Petya/NotPetya which used SMB/Samba (version 1)

3.      Do you know your normal: Once enterprises are aware of what
constitutes “normal” traffic on their network, they can identify abnormal
behavior. The more you know about the network, the more you can be
protected, proactive and prepared.

4.      Know thy enemy: With packet analysis, security teams can
retrospectively analyze the data from the time of an incident to track the
breach – and then search and destroy the malware faster.

5.      Survive the data surge: Despite the dizzying quantity of data, with
the help of appliances applying automated intelligence, security teams can
capture and store up to a petabyte and quickly identity the exact moment a
problem occurred to troubleshoot.

All too often, the remediation aspect of the security lifecycle is
under-utilized and overlooked. It is clear that network teams are
struggling to keep up with the onslaught from malware attacks and it is
certainly not for a lack of trying. The base level activities that protect
networks and enable damage limitation are all needed, like updating
patches, restricting the amount of admin rights granted to access
directories, running back-ups and strengthen their endpoint defenses.

It is also clear that the current focus on prevention and detection alone
points to an overall strategy that is failing miserably. Cybercriminals
regularly evade these measures and in response IT teams need to up their
game. Better intelligence would help them respond to attacks faster.
Remediation, especially in the form of packet analysis, is the most
effective way to guarantee tamper-proof intelligence that goes right to the
heart of the crime scene.

Are you ready for battle?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171212/c47cc710/attachment.html>


More information about the BreachExchange mailing list