Simon Campbell-Young, CEO of Phoenix Distribution says this poses the question: "Where is the security industry going wrong?"
Organisations are spending more and more, but this is not preventing breaches, and threats show no sign of abating. Our most sensitive and private data is still falling into the wrong hands. The lion's share of security budgets are spent on preventing security incidents, yet they still happen with alarming regularity, and increasing severity.
Add to this, that according to Mandiant, two-thirds of the time an organisation finds out it has been infiltrated through a third party, and only a third of the time they discover it for themselves. Moreover, the majority of advanced persistent threats (APTs), that do the most damage, are only discovered after they have been lurking on the network for well over a year, stealthily watching, and stealing information.
"What we know for sure, is that in all likelihood, your organisation will suffer a breach at some point, if it hasn't already," he says.
According to Campbell-Young, in order to successfully defend and mitigate attacks, businesses need to understand their nature. "In most cases, the threat actor will have studied the organisation with a view to identifying possible weaknesses. This may include social engineering and scrutinising social media profiles and so on. Many breaches can be linked to phishing or spear phishing attacks, using a covert, stealthy approach to get inside the network."
Once the cyber crook has a foot in the door, the malware will scan the internal network, and infiltrate all corners of the infrastructure, compromising additional hosts as it travels. Once it has established itself, the malware will look to release its payload. He says this can be the finding and exfiltration of data, overwriting or destroying data, or event causing disruption. "The possibilities are endless."
"Identifying a breach is just the first step to containing the fallout. Considering that most threats have more than likely been on your network for over a year, infecting other hosts, drawing additional capabilities in, stealing your information - merely trying to remove the malware is inadequate."
Most entities, once they are aware a breach has occurred, focus on removing the malicious code, but too often focus on the initial host only. This will not take into account the full compromise that has already inserted itself into all corners of the infrastructure. It is probably still active, and removing the malware only will not take control of the network and its many compromised internal devices out of the attacker's hands.
Businesses need to look beyond traditional security measures if they are to adequately protect themselves. Firstly, you can't remove threats you are unaware of. "This is where network visibility and security intelligence come in. All internal network communications must be visible, and monitored to identify and address any anomalous behaviours. Any warnings should be analysed at once, and of course, IT staff must be able to interpret the results," says Campbell-Young.
Incident response should also be elevated, and incident responders empowered to closely investigate all attacks, and formulate a solution to combat them. "Netflow-based monitoring is a best practice that should be adopted by all organizations," he adds.
Lastly, Campbell-Young says that companies should feed the information back into the threat detection strategy, and intelligence community, to improve detection rates, and identify possible threats in the future.
Businesses must supplement traditional security approaches and methods with improved incident response, forensic capabilities and network visibility tools. "Understand not only what is coming into the network, but what is already inside," he concludes.
