In an earlier blog, I discussed essentials for visibility-driven security and the importance of having both visibility and correlation to quickly assess events in real-time. In this post, we will examine the different dimensions of visibility across the attack continuum and how crucial it is to have these dimensions in place in order to defend against known and emerging threats.
Visibility-driven capabilities are critical if cybersecurity professionals are to do their job effectively. In order to accurately see what’s really happening across dynamic, changing, environments and provide a full understanding of malicious incidents, visibility must provide an accurate picture of users, devices, data, threats, and the relationships between them. And it must do so in near real-time and across a wide range of infrastructures to support new business models related to mobility, cloud, and the Internet of Things (IoT).
For many security breaches, the gap between the time of compromise and the time to containment is months if not years. Many of these breaches had early warning signs such as frequent alerts, events or indicators of compromise (IoCs) that reached an administrator’s various security consoles. The failure is often not in detection, but rather in handling of these events and alerts. This challenge will only worsen as the number of these alerts and events grow exponentially in tandem with the diversity of the enterprise environment.
Dimensions of visibility across the enterprise infrastructure are important in enabling organizations to take informed security actions and protect across the entire attack continuum—before, during and after an attack. Let’s take a closer look at some of the dimensions of visibility and how they play a role in enabling security professionals to correlate information, apply intelligence to understand context, make better decisions and take proper action – either manually or automatically.
Before an Attack
In dynamic and evolving environments, comprehensive network visibility must include real-time insight into all users, devices, OSs, applications, virtual machines, connections, and vulnerabilities. Before an attack, having this type of granular visibility is vital to being able to properly define and implement controls that can reduce the attack surface for adversaries and properly segment the network to minimize lateral movement. Comprehensive visibility enables this to be done in a way that balances an organization’s risk tolerance and compliance mandates with their productivity and business objectives.
During an Attack
During an attack, visibility needs to expand to include real-time awareness of threats, endpoint behavior, and global understanding of the reputation of URLs, IP addresses, files, command and control channels, and DNS servers. This real-time threat awareness can be correlated with the detailed understanding of the customer’s environment that was established in the before phase to enable prioritization of threats and suspicious behavior as they happen as well as automated tuning and updates of threat systems for real-time protection against attacks.
Additionally, modern threat-centric security tools should have the ability to correlate and then visualize attack activity that is seen across different security tools such as endpoint monitoring, file analysis, security intelligence, and network events. This can provide the real-time awareness security professionals need to quickly assess and prioritize their responses to today’s modern multi-vector attacks. This automated correlation is key in both blocking attacks in real-time and accelerating the time to detection.
After an Attack
However, it must be assumed that a certain percentage of attacks will succeed. Thus, it is critical to have dimensions of visibility that are in addition to those that are needed in the prior phases of the attack continuum. It becomes necessary to have retrospective capabilities that deliver visibility into activity that might have happened days or weeks ago so cybersecurity professionals can quickly assess the scope of a breach and understand the root causes of the infections. Due to a lack of proper visibility, cybersecurity professionals are often left treating the symptoms of infections instead of the root causes. That leaves systems open for reinfection even after remediation is initially completed.
Attackers are becoming more agile. Note, for example, their use of rapidly rotating command and control servers. It has become necessary to have real-time awareness of command and control channels in your network and be able to distinguish these inappropriate and potentially damaging communications from legitimate traffic. This level of visibility is the key to spotting and accelerating the containment of infected hosts.
Finally, it is necessary to actively monitor for signs of active threats via alternative telemetry sources such as forensics tools that can be used to turn your entire network into a sensor. This can help enterprises spot anomalous traffic flows which are often a sign of infection as well spot policy violations like rouge access points or rouge devices and improper communications across network segments.
As organizations continue to evolve their environments to the needs of new business models, the number and type of attack vectors will increase, creating new and unforeseen challenges for companies and those responsible for defending the infrastructure. As we all know: there are limited resources to address all of the data and events across a growing number of connected devices. Establishing a foundation of visibility and intelligence across these dimensions provides crucial context and information necessary to take informed security actions and protect across the attack continuum—before, during and after the attack.