Page 73 - Cyber Warnings
P. 73
These endpoints also have Wi-Fi, Bluetooth and apps which open up huge security holes.
For all these reasons, it is time to stop proverbially staring forlornly along the fence and start
searching the grounds. As John Chambers’ truism reminds us, the invaders have already
breached defences such as firewalls, anti-virus and intrusion detection systems.
At best they are sitting dormant, waiting to pounce. At worst they are stealing, viewing and
causing trouble, totally unfettered. In fact, on average an attacker can sit unnoticed on victim’s
ii
network for 146 days .
Clearly, a lot can happen in that time. Information can be extracted, identities forged, cash
stolen and infrastructure broken, all of which can spell disaster.
This is why the best defence is not to build a bigger fence, but to analyse network traffic and
detect suspicious activities.
This does not mean just checking files to see if they match the profile of known threats, but
looking at what traffic is passing over the network and whether it suggests malicious intent.
It means looking for patterns of behaviour that do not look right.
For example, when you or I search for something online, we will probably head for Google. We
will do some searching, flick through results, go back, tweak the search terms and generally
take a hit and miss approach.
Eventually, we will find what we want and click on the appropriate link. This is a very human
process and creates a set of log files that look a certain way when analysed.
The difference between typical malware and a human is obvious in this case, and the traffic and
resulting log files should be a warning. Not just that something nasty is on the network, but that
nasty thing is starting to do something.
As soon as you know it is doing something – or trying to do something – you can stop it in its
tracks. Fast.
This is the approach all organizations should be taking: looking for suspect activity, not suspect
files. By taking this high-speed, analytical view of network traffic, you can understand what is
good and what is bad, allowing you to pick out anything that got past the perimeter.
The result is the ability to see more attacks, more quickly, and – importantly – reduce false
positives.
This is important, because security teams spend so much time checking to see if something
really is malicious.
73 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
