Think of it as the new arms race: Everyone from corporations to government agencies is engaged in a constant combat cycle with cyber-terrorists and criminals that goes through these phases:
- The bad guys launch a new type or method of attack
- Some (if not all) organizations attacked are breached
- Consequences ranging from real economic loss to destruction of physical—not virtual—resources cause the victimized organizations to begin studying and identifying the new threat
- At least one organization names the new attack method
- The organization or a security vendor finds a defense to the new threat
- The word spreads and, armed with the latest intelligence, organizations begin configuring the appropriate defenses.
Here is the problem: The delay between a breach, developing a defense and sharing the solution can take months, if not longer. Why the delay? Because the good guys do not share enough information. The black hats are aggressively sharing techniques and new approaches. Thus, we applaud anything that the government can do to encourage exchange of information on cybersecurity threats and new methods employed by hackers and other cyber-criminals.
Treating the Disease, Not Just the Symptoms
The lesson to be learned here is that information sharing will only help with accelerating the time to deployment of a solution to a specific problem or threat—but what about finding the root causes of those threats as they are happening?
Unlike the Cold War arms race, cyber warfare involves actual damage (thus far, thankfully, only economic loss) that is inflicted during each attack cycle. This means that enterprises and other organizations simply cannot wait complacently for someone else to identify the problem, develop a solution, and then share the solution.
As the wearers of the white hats, we must begin working in parallel. We must proactively and collaboratively search for lurking threats and identify security breaches before real damage is inflicted and the damage begins spreading beyond the financial arena. Companies like Guidance Software and FireEye are collaborating through integration of key security tools and the sharing of critical information. This is a good start, but more organizations must do the same. And what can be done about today’s advanced threats?
How to Research a Threat without a Signature--Proactively
Researching an unknown threat type is next to impossible in organizations that are reliant upon signature-based cybersecurity systems. This is where endpoint analytics, threat detection and response represent a significant opportunity. The process goes like this:
- Collect data on endpoint activity
- Synthesize a “big picture” of your security landscape from a high level, correlating anomalies that would appear benign when analyzed alone, but point to security issues when viewed in aggregate
- Detect anomalies within that “big picture”
- Dive deep to forensically investigate the anomalies.