Advance Persistent Threats, Zero-day Attacks, and Business Resilience

Last week I was privileged to hear Robert Lentz, Former Deputy Assistant Secretary of Defense, Cyber Security & CISO for the US Department of Defense speak on Advance Persistent Threats and Zero-day Attacks from Static to Dynamic Defense at the CISO summit in Atlanta.  He has played a role on the front lines of cyber warfare and had some very interesting points to make about where things are going regarding the types of attacks being seen and future trends.

Here are a few of the highlights:

• He points to a trend of increasing sophistication of malware.  Aurora capitalized on one zero-day vulnerability.  Stuxnet uses seven.
• The costs of cybercrime continue to go down — it’s easier and it’s lucrative.  Cyber espionage is also on the rise with sophisticated enterprises as the target and malware is the weapon.
• Security and risk management must become part of the corporate culture especially for companies that have a direct impact on our daily lives. The definition of critical infrastructure needs to expand beyond the energy sector to banking and transportation.

Mr. Lentz goes on to identify the types of threats, businesses ability to react, and current trends.  To illustrate, I’ve attempted to re-create a chart used on his presentation.

Here’s his description of the business benchmarks represented by the letters A through E and where businesses will eventually end up.

1. Reactive – manual processes for remediation and detection – simply putting out fires.
2. Tools-based approach – Anti-Virus / Endpoint Protection / Rules-based
3. Integrated picture – Situational Awareness – looks across application data and security data
4. Dynamic Defense – Automatically illuminating malware events – moves from conventional threat to APT.
5. Resilient Enterprise – can withstand an attack – preventive and predictive approach

How do we keep up in an environment where attacks are getting cheaper, faster and smarter?  Lentz offers cloud based security as a trend that may help us get to D. and E.  Companies may look to place key services into the cloud thus reducing risk by reducing their attack surface.  Personally, I also see virtual desktop as another way to do the same thing.  Custom applications need to be stressed in the QA cycle for resilience.  Companies need to be implementing robust identity and access management, enable encryption wherever practical, and map and prioritize company assets around key services.  As an example, this can mean prioritizing providing services vs. keeping the billing system up and running.  This is really a critical business infrastructure approach where you ask, what’s the single most essential thing we do for our customers and prioritize and protect that service first to protect our business.

Splunk, with its ability to import data from third party sources, support threshold based alerting against a profile of usual activity, and provide operational intelligence is a key ingredient that helps our customers get further along in Mr. Lentz’s maturity level approach.