Page 224 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 224
Feeling rather confident in your plan, you retire for the evening and look forward to the next day.
Hopefully, the lack of ability to bypass the perimeter security will frustrate the groups outside the wall,
and eventually, they will disperse.
Managed Detection and Response has been the status quo for the cyber security industry for quite some
time now. There was a time, though, when it seemed like MDR was on the way out and Extended
Detection and Response (XDR) would take over because of the ability to paint a clearer picture of what
was going on outside your gates.
Imagine this same process going on for years. The same events get reported over and over again. There
is more wood and nails being delivered each day. A few individuals try to breach the gates but are
deterred by your defenses. On and on it goes. This is what we call event fatigue and what we observed
is that eventually, your team gets tired of paying attention to the details. On the outside, the city looks
completely secure and there is no need to worry.
Great. Until one morning, the groups outside are gone. Just like that, they have all disappeared and the
only thing that remains is a wooden horse parked just outside of the gate with a note that reads: “A gift
for you.”
What do you do?
Defending Troy with Dynamic Threat Hunting (DTH)
At this point, we all know the story. The city rejoices and the gift is brought inside where the unsuspecting
city of Troy falls to the adversary.
Wouldn’t it have been nice to know that the local sawmill workers have been working overtime for the
last 10 years, milling more wood than the city needed? Or that the blacksmith spent his extra time crafting
millions of nails and tools?
Wouldn’t it have been great to understand that during the dark of night, there were meetings going on
between people inside the city and the leaders of the external threat groups? Together, they were coming
up with a creative plan to deceive the sentries and evade being noticed?
Not every breach has an inside threat component to it, but sometimes, people, processes, and technology
lend themselves to being an easy target. Like assigning everyone local admin rights to their individual
computer so that when a link is clicked in a phishing email, the attacker now has absolute control over
that machine.
Dynamic Threat Hunting is when you pair the wire-speed of AI and ML with the creative understanding
of human Threat Hunters to provide an intelligent, context-aware, and just-in-time security operation that
not only collects and analyzes the data but actually thinks like attackers and looks beyond the data, alerts,
and events.
To the trained Threat Hunter, a simple daily event can be the key to turning a scouting session into a
deep hunt. Pairing that with the speed of machines processing messages and telemetry about what is
224