[BreachExchange] Can the Data Centre be Defended from a Data Breach?

[Audrey McNeil]

http://www.cbronline.com/news/data-centre/it-information-
technology/can-data-centre-defended-data-breach/

If headlines fully reflect reality, the odds are rather poor that a data
centre can be fully protected from a data breach. A study from Lloyd’s
shows that over 90% of European companies have suffered a data breach at
some point over the past five years. Even at the broadly focused World
Economic Forum held early this year, cybercrime was regarded as one of the
greatest threats to business around the world. In addition, according to a
survey conducted at the recent IP Expo Europe, 89% of UK IT decision-makers
worry about being a victim of a data breach.

Consider that the industry average for the length of time it takes an
organisation to uncover a data breach is still roughly five months. That
means that an internal or external attacker can work in complete stealth,
methodically learning about the resources and assets available through an
organisation’s network and then stealing or damaging them. Five months
gives an attacker a generous amount of time—perhaps an extraordinary amount
of time—to go about their business with a very high level of success. It is
also reflective of the utter failure of traditional security in thwarting a
breach.

The truth is that few data centres are protected from a data breach. Most
companies will not be able to detect an attacker’s initial intrusion, and
fewer still will be able to catch an attacker at work once he or she has
gained a foothold in the network.

Why are the odds of being able to protect a data centre so poor? There are
a number of important factors. First of all, the reality is that a
motivated attacker will be able to get into any given network. There are
far too many ways for an attacker to get in, particularly by way of
compromising a user’s computer or account. Getting in is a certainty, and
this is a hard notion for security professionals to accept. Gartner and
most crime-fighting organisations around the world agree on this point:
attackers will get in.

Most of the attempts of breaking into a network can be successfully
defended—perhaps upwards of 95 or even 99 percent—but that leaves open the
possibility that a dedicated attacker will find a way in through the
balance. Attackers can have a nearly unlimited number of attempts of
breaking in. One of them will succeed, whether it is from social
engineering, guessing or brute forcing a password or through malware loaded
onto a computer through a drive-by mechanism on a reputable website.

If a security team can accept that an attacker will get in, they need to
accept that the challenge shifts to one of detecting an active attacker as
quickly as possible. Herein lies another major issue. Few companies today
have the capability to detect an active attacker on their network or in
their data centre. This is why the average discovery time is so long. The
reason for this lapse is multifold. First, companies are likely looking for
the wrong thing. Once an attacker lands in a network, they will use various
networking and administrative tools and routines to conduct reconnaissance
and lateral movement. They will rarely use malware. Yet most security
systems are primarily focused on malware, and they will miss the two types
of activities that require the most amount of time and steps for the
attacker to reach a goal.

Other security systems may have the capability of finding elements of an
attacker activity, but these signals will almost certainly be buried under
a flood of security alerts that are dominated by a high percentage of false
positives. The probability that a security professional will find a
meaningful alert is mostly a matter of sheer chance. It’s the classic
“needle in the haystack” problem.

It is not uncommon for organisations to receive five hundred or a thousand
daily security alerts, sometimes quite a bit more. The vast majority of
these will be useless. This could be considered an issue of ‘noise’, but
there is another parallel issue. The other problem is the ability to see
multiple events that, alone, are not suspect, but seen together can uncover
carefully orchestrated steps being used by an active attacker. Another
problem is one of sorting out the legitimate use of an application or
activity from one that is malicious. For instance, the use of remote access
tools may play an important role in the company, but these could also be
utilised by an attacker.

Solving these issues requires a major shift in the way we do security.
Traditional security is based on experiencing a threat and then developing
a way to identify and stop it. This approach simply does not work when it
comes to a human-led attack. A new approach eschews the reactive technical
artefact approach of the past. Instead, by profiling users and devices on a
network and establishing a baseline of known good or normal, it is possible
to see the anomalous operational behaviour of an attacker. By knowing how
users and devices normally behave, attacker activities can stand out.

With traditional security, a data centre is always vulnerable to an attack.
By taking a new behavioural-based approach, attackers can be caught early
before they can achieve their end goal—finding and stealing or destroying
valuable data in the data centre.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161017/4d0e8c68/attachment.html>