Monday 17 February 2020

Samani: Adversaries have more information about
our defences than we have about their attacks

Six big challenges facing the security industry in 2017

DUBAI, December 7, 2016

By Raj Samani

Attacks and defences adapt and evolve in a continuing dance. As a new technique is developed, its effectiveness increases rapidly until it is ready for deployment. Once deployed, broad exposure to real-world scenarios, feedback to the development team, and inclusion in other defences further improves its effectiveness.

The enhancement continues until it reaches a level of effectiveness that prompts adversaries to respond. At this stage, attackers experiment and discover ways to evade this type of defence and develop countermeasures to reduce its value.

The security industry’s challenge is to improve the lifecycle of threat defence effectiveness, something that requires foundational research, new classes of products, heavy development time and effort, and a sustained focus, often by multiple industry participants working together.

Reduce asymmetry of information

Adversaries have more information about our defences than we have about their attacks, and this asymmetry significantly influences the threat defence effectiveness curve. Preventing attackers from testing against us is very difficult and possibly unsolvable. However, sharing information about attacks more broadly is one of the critical initial steps that we can take to address this asymmetry. When we share and combine information about attacks, we better understand what the attackers are doing to find weaknesses in our algorithms. That allows us to more quickly adapt and improve defences.

Make attacks more expensive or less profitable

Money is the primary motivation of most cyberattacks. If we can change the economics of the attack process, reduce the success rate of attacks, and make capture more likely, then we can make targets less interesting. Analyzing law enforcement data, we find that investigation and prosecution of cybercrime is inversely related to the severity of the crime. With physical crimes, prosecution is oriented toward the most serious crimes.

With cybercrime, high-level attacks are more difficult to investigate and prosecute because they often cross multiple jurisdictions, and often more skills and resources are required to help them evade detection and prosecution. One potential response to this is to deceive attackers and increase their time spent on a given attack, making them easier to trace, identify, capture, and prosecute.

Improve visibility

Security operations within companies and security vendors are shifting their focus from IT assets to data assets and from “pseudo-absolute” defensive coverage to informed risk management. We have tools that can identify and classify data, monitor its usage, apply appropriate policies, or block movement if necessary. With these tools, organizations can more effectively quantify their risk profile, identify critical gaps, and appropriately focus resources.

Good organizations compare basic statistics to the previous month, much like accounting. Better organizations work to build regional, national, and industry benchmarks for comparison, like investors. However, many common security metrics are not very actionable. There is much more to be done to be able to act, in near real time, on threatening activities seen in the protected environment.

Identify exploitation of legitimacy

Telling the difference between when a legitimate tool is used for a legitimate purpose versus a suspicious activity is very difficult. The only approach we have now is behavioural analytics, which is in its cybersecurity infancy. It is a good start, but we also need to move toward a model that conducts legitimacy tests for every transaction, not just for files and credentials. We need to analyze actions and data movement and try to determine intent, whether from an external actor or an unauthorized insider. This step requires knowing a lot more about the context of the activity.

One controversial possibility is the development of user reputation and predictive analytics. The concept is to assess the probability of a given account being breached, stolen, or used for unauthorized insider activity. By collecting user behaviour in context, from the tendency to reuse passwords on different systems to the job description and typical working hours, we can compare each action to a set of expected legitimate activities and flag those that are outside a given level of risk. This is a sensitive area. We will have significant privacy, ethics, and legal issues to address before this technique enters the mainstream.

Protect decentralized data

Data is moving around outside of the corporate perimeter, making it much more vulnerable to unintentional leaks and targeted attacks. It is moving to clouds and personal devices, as well as to partners, suppliers, and customers. Less than 20 per cent of an organization’s data ever moves in this extended ecosystem, yet 70 per cent of data loss is connected to this movement.

Today some try to protect this type of data movement by encrypting it and sending decryption keys in a separate email, passing on the responsibility for protection to the next person in the chain. This results in a very small sphere of trust. We need to figure out how to extend the sphere of trust while maintaining better control.

Data classification and loss prevention systems represent early efforts to manage and extend the sphere of trust for decentralized data. Security that moves with the data, enabling persistent policy enforcement, is the next step. We need to be able to protect data during its next use, similar to digital rights management mechanisms.

Detect and protect without agents

So much of our history and strength in security is based on having an agent running on the device we are protecting. However with the onset of technologies like IoT, the future of cybersecurity, and the solution to most of these big, hard-to-solve problems must take place in an agentless security world.

The evolution to agentless security is already underway, with early solutions attacking the problem from multiple directions. Chip designers are enhancing hardware-level security, memory protection, and trusted execution environments. Behavioural analytics products watch from the outside, ready to quarantine and investigate devices that are doing something suspicious or anomalous.

Processing and analysis still has to happen somewhere, but we will increasingly leverage flexible computing resources instead of dedicated agents. Distributed enforcement points are already emerging that will spread enforcement throughout a network of devices, with multiple points communicating and collaborating in real time about their detection and protection actions.

In summary, increasing our threat defence effectiveness throughout the security industry will be key to staying ahead of the adversaries. It is critical that multiple industry participants work together to solve big-picture problems that cannot be addressed by simple patches or software updates. We need to share information more broadly among industry leaders to not only give us greater volume and detail in telemetry, but also aid in deception techniques.

By increasing our use of predictive analytics, improving security visibility with both organizational assets and decentralized data, and reducing our use of dedicated agents, we can better protect, detect and correct cyber-attacks and increase our effectiveness in the threat defence lifecycle.

Raj Samani is chief technology officer, EMEA, Intel Security.

Tags: | Intel | Security | cyber attacks |

calendarCalendar of Events