We’re closing out the second week of National Cyber Security Awareness Month (NCSAM) and despite the name, NCSAM is more than just a one-month promotional campaign. It’s important to view cybersecurity awareness and action as a permanent mindset that continues to evolve as the threat landscape evolves.
Consider our heavy reliance on the internet, confirmed by a court ruling last year declaring the internet a public necessity on par with electricity and phone service. Such reliance cements the need for everyone—not just cybersecurity teams—to help take on the great responsibility to protect our digital lives and our ability to conduct business securely.
The Department of Homeland Security (DHS) has designed NCSAM to engage with and educate public and private sector alike, raising awareness about the importance of cybersecurity and providing tools and resources needed to stay safe online, and increase resiliency within the current cyberthreat landscape.
Which is where we’ll resume the discussion. Last week, we focused on the new norm in cybersecurity. Specifically, we highlighted two key concepts:
- Security as a key component to help enable the trend of digitization while at the same time addressing the inherent risks of digitization, in a continually evolving manner.
- The importance of information sharing, coordinating, adapting, and automating where and when it makes the most sense to improve how we verify and make better security decisions, and optimize how we respond to threats.
This week, in support of the DHS’s efforts toward better resiliency, we’ll explore what it takes to establish and increase resiliency as the nature of cyberattacks continues to evolve. We’ll touch on the cyberthreat landscape, and map out a few key challenges that organizations may face in maintaining resiliency—both in continuing to defend against known attack methodologies, as well as keeping up with emerging attack methodologies.
We’ll summarize by highlighting a few key ways to address those challenges using an analytics-driven approach to security, which our customers have demonstrated is the foundation on which they have had the most success, maturing their security teams and processes to be better prepared and capable of staying ahead of ever-evolving cyberthreats.
The modern threat landscape is changing rapidly. Whether it be common malware variants that are essentially dependent on exploiting lapses in basic IT hygiene; to more sophisticated methods involving social engineering and targeted spear phishing attacks; to the latest APTs with high-profile missions, from taking down critical infrastructure or leveraging IoT sprawl for extreme-scale DDoS; to targeting political figures. Attacks continue to get harder to detect and resolve as nation states, cybercriminal syndicates, and other threat actors develop more sophisticated ways to accomplish mission objectives.
It’s this evolving level of sophistication that’s the real issue. It wasn’t too long ago that cybersecurity was oriented mostly around the early stages of an attack; before the kill chain concept was more solidly codified into its current form, most organizations focused primarily on prevention of reconnaissance and intrusion, and only a relatively few high-priority incidents were investigated. Generally speaking, the bulk of exploits largely involved worm and virus propagation, backdoor Trojans / keyloggers, code injection, basic rootkits and malware, and eavesdropping / hijack / MITM type attacks. Attack lifecycles were shorter, and mission objectives were typically on the scale of “tamper with data," “click fraud,” “distribute spam," “steal some files," “establish zombie footprint to launch DDoS attack” or “deface web properties.” The main goal of cybersecurity was (again) focused on the prevention aspect, including trying to thwart reconnaissance attempts and zero-days, primarily through policy enforcement—in traffic/session flows, hosts / endpoints, and using vulnerability and other scanning tools and services to help assess and inform security posture; and in some cases using honeypots to divert / characterize.
As additional types of attacks popped up, new prevention tools popped up in response—from protocol-specific firewalls, to host-based intrusion prevention systems, to user monitoring, to app control, to remote policy checking, to DLP—that enabled more granular control. These components made up (and their evolved counterparts still do comprise) an organization’s multi-layered defense.
Back then, attacks were relatively plentiful and continually on the rise, but considering the lower frequency of attacks that actually caused significant damage, this prevention-oriented methodology was appropriate for the time—the general security lifecycle was to prevent anything known, suppress anything that got through as quickly as possible, rely on vendors to provide fast updates for anything zero-day, and hope that your prevention vendors’ techniques were complete enough to also catch unknowns.
Fast forward to today, and to oversimplify, we are inundated with new attacks at such scale that the multi-layered defense—while still critical to have in place—needs something to tie it all together. To oversimplify, the fundamental issues are visibility, speed, ability to verify and find root cause efficiently, and volume of incidents. Security teams are faced with the challenge of not only the prevention aspect, but more so now, detection, investigation, and response, at scale and in real-time; and as an integrated part of the entire security and IT operational process vs. within a number of silo’d entities.
The common theme we hear repeatedly: “We need a way to bring everything together so all these independent constituents / departments can work in a coordinated manner, even if they have different requirements—whether it be what they are tasked with finding, or data privacy, or compliance, or simply what their role is within IT or security”.
In terms of the attacks and their sophistication, the tools and methods mentioned above have not only evolved in their ability to get into the environment, but once inside, they can patiently wait for extended periods of time, move around within the environment, cover their own tracks, adjust to the local environment, orchestrate larger-scale efforts with or without outside control, download additional tools needed from outside, and even detect and alert command and control if it senses it has been detected.
And a lot more.
In other words, WAY smarter than before. A tiny fraction of examples includes Remote Access Trojans that can auto-root, escalate privilege, and even repackage applications; IoT botnets; polymorphic malware, small-footprint Trojans that can evade anti-malware products; self-propagating and purely destructive ransomware; man-in-the-browser attacks that can quietly exfiltrate credentials and bank codes in bulk...the list goes on and on.
The rate at which these attacks happen is staggering, mainly because there is now not only the sophistication in technique, but because it’s been driven by clear, well-planned motivation and strategy—from revenue goals by criminal syndicates, to military and political objectives from nation states.
This is why the shift has focused from prevention-only to taking a more risk-based approach; in other words, assume the worst, find out what’s actually happening, know the risk, manage it through proper adjustments, and rinse and repeat in real-time. Look across and know what is happening within all the stages of an attack. Get to know your environment so well that you can proactively form a theory on what threats might exist in your environment, verify the likelihood that it’s true, and then go hunt it down. Contain the threat without letting it know you’re looking at it so you can characterize it and develop a profile of threat actors and what they might be up to now, and in the future.
If these concepts are more advanced than you’re ready for, you still need to start somewhere—like gaining visibility of key critical assets in your environment so you can establish central control your security posture. Find out what’s looking suspicious and go investigate it quickly and with enough context to make good decisions on how to address it at the root. Then implement the change quickly and with enough verification to feel confident that it will improve posture, and verify that improvement in posture. Report the improvement to management and then actually be able to leave work to go home and play with the kids this weekend.
So how can you do all that stuff? It sounds great but it also sounds like a massive lift.
Maintaining focus in the crosshairs of evolving, elusive adversaries doesn’t require an overhaul. In fact, an analytics-based approach to security can specifically address the most difficult challenge—balancing the demands of changing threats with the demands of your changing business requirements. As we mentioned last week, the whole point of digital transformation is to enable the business, and just as network and application security had to evolve to help enable global internet connectivity (yes, so we could all develop a complete dependency on it as mentioned above), in turn, your organization’s security can evolve to help enable digital transformation.
Why Adopt an Analytics-Driven Security Platform
Adopting an analytics-driven approach to security gives an organization a holistic approach to combating modern threats.
An analytics-driven security platform brings your entire multi-layered security architecture—as well as all the machine data from other systems that the above attack methods might attempt to exploit—together so you can treat all that machine data as security relevant and get answers to your toughest security questions from that data, quickly and easily.
It also enables teams across an organization to collaborate and implement best practices to address modern cyberthreat challenges. Splunk provides an analytics-driven security solution that has enabled thousands of security teams to leverage statistical, visual, behavioral and exploratory analytics to drive insights, decisions and actions—all the things you need to understand what’s going on, connect the dots of an attack, and prioritize how to act to reduce risk most effectively. Once you see patterns, you can automate actions that need to occur between well-characterized decision points to drive better efficiency and even package out information to share with your private community or partner constituents / organizations / agencies.
An analytics-driven security platform helps security teams navigate ever-evolving threats to quickly identify, investigate, respond and adapt without having to start over every time a new trend emerges. Even if you acquire new point products to address new types of threats, you can pull them into the overall view to quickly contextualize what the information from that new point product means to your organization’s overall security posture and within the context of an attack.
One real-world example is the Maryland Lottery and Gaming Control Agency (MLGCA). The agency operates the Maryland state lottery and serves as regulator of the state’s six casinos, and oversees lottery and gaming activities that generate more than $1 billion in annual contributions to the State of Maryland.
The MLGCA adopted Splunk Enterprise as part of an effort to modernize its IT operations. Since that deployment, the public agency has saved up to six hours a week on compliance tasks, improved its security posture and seen benefits, including enhanced security for sensitive data, real-time, self-service compliance reporting for auditors, improved security monitoring and increased anomaly detection to quickly identify and prevent security breaches.
There are many more examples you can read about in our free customer ebook below. Next week, we’ll dive into an example or two. In the meantime, thanks for joining us for the discussion, and stay safe out there.
Do you want to learn more about how Splunk customers are using the Splunk’s analytics-driven security platform to improve their security posture? Download our free customer ebook, "Data Secrets Revealed: A Collection of Security Customer Stories."