In Enterprise security organizations decisions are often made without looking at the big picture. Putting together a security strategy is hard. And sometimes it’s impossible to fully understand the different features and advantages different security solutions provide versus what the organization really needs. Current trends, rumours, lack of security skills or the need to feel secure might have an impact on these decisions. Without a comprehensive knowledge of security--like good attackers or good security researchers often have--an organization can leave themselves exposed.
I’d like to discuss some of the common misconceptions that organizations have and why it’s important to rethink them if any of them apply to your organization. This will be a two part blog series. This week I’ll discuss the concepts of IT security skills and using log-based solutions for stopping attacks.
MISCONCEPTION #1 :
Information Security as a second job for IT professionals is good enough
In some organizations, IT professionals are responsible for security but their main task is IT. Without being 100% focused on security, they don’t become a security expert. You have to know the enemy in order to face it efficiently. At a minimum, members of the security team should have black hat training so they can better estimate what hackers might do.
Why is this important? The short answer is Advanced Persistent Threats (APTs). They are quite common, particularly in large organizations and the cost of an attack is high1. In many cases, attackers aimed for Domain Controller (DC) control2. It happened at Sony and it is happening more and more and often kept in secret. Also, research shows APTs stay in an organization’s network a long time3.
APTs attempt to seize control of as many computers as possible. And ultimately, they attempt to seize control of the DC, which is the only place (hopefully) where domain accounts’ passwords are stored. So, you should assume: There are APTs out there. They will invade your network. They will target your DC.
The effort to stop attacks at the first stage (such as spear phishing), or at the antivirus level is a nice first filter, but prone to misses. Determined attackers will try again at quite a low cost, and eventually, a phishing email will tempt someone to click the link4.
While the probability of an APT may be low (it is hard to know), the cost can be extremely high. So, if you multiply the cost by the probability, the result is that your risk is very high. Having the proper training and the proper security solution to protect your organization from APTs should be a top priority. The notion that “the default protection by the OS is enough” proves to be false in almost every incident.
Counting on a log-based solution to stop advanced attacks
Counting on a product that relies solely on logs in order to stop advanced attacks won’t work. There are three reasons why:
First, logs are limited. They are generated as the data is processed and typically contain just small parts of the raw data, not all of the data. Sometimes a very remote and seemingly unimportant property in a seemingly unimportant message suggests an attack, but you won’t see any indication for this message in this logs. This is the case, for example, for Skeleton Key attack which is undetectable by this method.
Second, an advanced attacker might delete the relevant logs before you get them. If an attacker takes over the DC, they can delete any log they want. There are also other ways to prevent the logs from reaching the security system.
Third, you can’t react in realtime to an attack. You aren’t able to do active queries against the attacker’s machine or do anything immediately to prevent further damage. Instead, you might consider buying a solution that is traffic-based.
Next week I’ll be talking about more common misconceptions in enterprise security organizations. Some of the topics we’ll be discussing include User and Entity Behavior Analytics (UEBA), broad-based security solutions and “zero configuration” so be sure to check back to read more!
1 Average total cost of data breach is $3.79 million according to 2016 Ponemon Cost of Data Breach study
3According to the 2015 Cost of a Data Breach Study, it takes an average of 256 days to Identify an APT
4 The 2015 Verizon DBIR Report showed that nearly 50% of users open e-mails and click on phishing links within the first hour.