Why Signature-Based Cyber-Defenses are Bound to Fail

Sam Maccherola

You will never see an alert from your security information and event management (SIEM) tool for a zero-day attack. There is no signature in your blacklist for the malware that was custom-built for your organization and secretly colonized your mail server a month ago. No indicator, no pattern match, no alert.

Why is this the case? Because malware is constantly morphing, and because the sophisticated and dedicated minds under those black hats are working night and day to design a data breach specifically for each organization it decides to invade. When it hits you, it will be the first time its signature has ever been seen.

This is why some national investigation agencies and corporate information security leaders are calling for security teams to begin operating under the assumption that they have already been compromised. In fact, the next serious threat may come from inside your organization using valid—and leaked—access credentials. In this new reality, even the most robust perimeter defense approaches can fight only half the battle.

Proactive Threat Hunting with Analytics and Forensics

Television shows like CSI and The Forensic Squad illustrate what many law-enforcement investigators know as “Locard’s Principle,” which holds that every contact leaves a trace. The same can be applied directly to network security, as the perpetrator of any crime will always leave behind some indication of his or her presence. The challenge is to find evidence of the attack activity before the initial phase of the attack has been completed and while potential evidence can be captured from volatile data on affected endpoints. Using a tool like EnCase® Cybersecurity that can preserve the data for forensic analysis will also ensure that it has not been tampered with if the time comes to deliver it to legal authorities.

The prime target for any sort of threat—whether that threat comes from corporate espionage through a malicious insider or from outside of the organization—will always be sensitive data. Given that sensitive data (or errant copies of it) is often stored on endpoints, such as employee laptops and data servers, it is immediately apparent that lack of visibility into endpoint activity is one of the biggest vulnerabilities of most corporations and government agencies.

Baselines and Anomalies: How Endpoint Analytics Can Strengthen Security

Creating and regularly updating baselines of endpoint and server activity provide information security teams with a starting point for identifying and alerting anomalies. There is tremendous value in aggregating all of the data, processes and other activity occurring on thousands of laptops and servers at any given moment and creating baselines of “normal” behavior. Against such baselines, any statistically significant deviation from normal behavior could be a potential breach in progress—and EnCase® Analytics can show you those deviations in a visual dashboard—no data scientists in white coats required.

That intelligence can enable swift detection and decision-making in the heat of an attack when every second counts. Anomaly reporting offers the opportunity for an early look at something unusual, or outside the norm, happening within your environment, and thus provides the opportunity to detect an intrusion in its earliest stages. You can find out more about EnCase Analytics here. In the meantime, I welcome your comments below about how you’re fighting the good fight against the black hats.

Sam Maccherola is Vice President and General Manager EMEA/APAC for Guidance Software and is based in the United Kingdom.