Amit Yoran Proposes A Five-Point Plan For A New Approach To Security
When attending RSA President Amit Yoran’s excellent keynote at the last week’s RSA Conference, I couldn’t help but notice his reinforcement of the strategy Ziften has been executing. Here at Ziften we are intently focused on continuous endpoint monitoring, risk-focused security analytics, and silo-busting Ziften Open Visibility™ to counter the new era of advanced targeted attacks. Yoran criticized current enterprise security strategy as mired in the Dark Ages of cyber moats and castle walls, an “epic fail”, and outlined his vision for a path forward into five main bullets, to which I’ll add commentary from Ziften’s perspective.
1. Stop Believing that Even Advanced Protections Are Sufficient
“No matter how high or smart the walls, focused adversaries will find ways over, under, around, and through.”
Many of the advanced attacks last year did not even use malware as a primary tactic. Amit specifically criticizes traditional IPS, endpoint AV, and firewalls, the cyber equivalents of Dark Ages castle walls and moats. Simply put, these legacy defenses are ineffective, a wall easily scaled by an advanced attacker. Signature-based AV only protects against previously seen threats, whereas previously unseen threats are the most endangering to the enterprise (since they are typical of targeted attacks). And targeted attackers employ malware only half the time, perhaps only briefly, during initial compromise. Attack artifacts are readily altered and not re-used in targeted campaigns. Accumulating malware signatures and transient indicators of compromise by the billions in vast AV signature databases is a futile defensive effort, like combing old battlefields for spent shell casings.
2. Adopt a Deep and Pervasive Level of True Visibility Everywhere – from the Endpoint to the Cloud
“We need pervasive and true visibility into our enterprise environments. You simply can’t do security today without the visibility of both continuous full packet capture and endpoint compromise assessment visibility.”
Across the enterprise endpoint population this means continuous endpoint monitoring for generic indicators of compromise (not stale attack artifacts) that reflect timeless techniques, not fleeting hex string happenstance. And any enterprise doing continuous full packet capture (comparatively expensive) can readily afford endpoint compromise assessment visibility (comparatively inexpensive). There is a wealth of security insight available from logging and auditing of endpoint process activity using even elementary security analytics methods. Targeted attackers rely on the relative opacity of endpoint user and system activity to cloak and conceal their attacks—true visibility casts a bright light, like illumination flares over a night attack battlefield.
3. Identity and Authentication Matter More than Ever
“In a world with no perimeter and with fewer security anchor points, identity and authentication matter more than ever . . . At some point in [any successful attack] campaign, the abuse of identity is a stepping stone the attackers use to impose their will.”
Stronger authentication is great, but just makes the walls higher, not impenetrable. It’s what attackers do after they get over the wall that matters most. This means tracking user endpoint logins (both local and remote) and application engagements for signs of abnormal user activity (potential compromised credentials or insider attack). Any observed activity that represents a departure from the normal pattern is potentially suspect. While one normality departure does not make a case, security analytics that triangulates multiple normality departures focuses security attention on the highest risk anomalies for triage.
4. External Threat Intelligence is a Core Capability
“There are incredible sources for the right threat intelligence . . . [which] should be machine-readable and automated for increased speed and leverage. It should be operationalized into your security program and tailored to our organization’s assets and interests so that analysts can quickly address the threats that pose the most risk.”
While targeted attacks typically do not re-use readily signatured artifacts or recycle C2 domains and network addresses, there is still value in threat intelligence feeds that aggregate timely findings from millions of network and endpoint threat sensors. At Ziften this means integration of third party threat feeds via the Ziften Knowledge Cloud, plus exposure of Ziften findings into SIEM and other enterprise security and operations infrastructure via our Open Visibility™ architecture. As more machine-readable threat intelligence (MRTI) feeds evolve, this capability will grow in effectiveness.
5. Understand What Matters Most to Your Business and What Is Mission Critical
“You must understand what matters to your business and what is mission critical. You have to . . . defend what’s important and defend it with everything you have.”
This argues for risk-driven instrumentation and analytics that focuses security attention and effort on areas of highest enterprise risk exposure. Asset value prioritization, as advocated by Yoran, is but one side of enterprise risk analysis, and the topic goes much deeper, both academically and pragmatically. Security analytics that focus security staff attention on the most prominent dynamic risks (for example by correlating, filtering, and scoring SIEM alert streams for SOC triage) must be well-grounded in all sides of enterprise risk analysis.
At Ziften we applaud Amit Yoran’s messaging in his RSA 2015 keynote address as the cyber security industry evolves beyond the current Dark Ages of facile targeted attacks and entrenched exploitations.