Page 27 - index
P. 27
Continuous Monitoring –
New Trend in Spotting Advanced Threats and Insider Theft
by Tim Liu, Chief Technology Officer, Hillstone Networks
Every week, yet another company or agency seems to make the news for having data stolen,
either by external attackers or internal thieves. While malware defenses have dramatically
improved in recent years and are good at stopping most amateur or broad-based attacks,
modern advanced threats now are written by software professionals who have become adept at
finding targeted ways into even well-guarded networks.
The picture gets even more complicated with the rise of internal threats. In an era of BYOD,
well-meaning employees can inadvertently introduce malicious code into the core of the
network, bypassing perimeter defenses.
Add in disgruntled personnel who actively choose to subvert security controls and it’s no wonder
the old “castle” paradigm of waiting for malicious code to show up, checking its appearance, and
then blocking it at the walls if it looks bad is evolving into a more pervasive and proactive
approach.
At this year’s Gartner Security & Risk Management Summit in early June, Neil MacDonald, VP
and Distinguished Analyst at Gartner, described an emerging trend and best practice for
network security. He advocates that complete protection requires not just blocking and
prevention, but detection and response as well.
To accomplish this, MacDonald recommends a new, more dynamic approach to security that
has Continuous Monitoring and Analytics at its core.
In this model, security systems continuously monitor what is happening within networks,
applications, and even end-user devices. This goes beyond the historic practice of feeding
event logs into SEIM databases and then assembling logic around whatever data happens to be
available.
Rather, it puts more intelligence directly into the security systems themselves so that they can
keep and process state information locally and apply big-data analytics to identify trends and
anomalies.
Unlike simple threshold comparisons, this approach can ferret out information that might not
otherwise be available in order to drive more-accurate insights and actions – what MacDonald
calls “Context-Aware Intelligence.”
This isn’t just theory; a variety of security vendors are now using advanced behavioral analysis
on data gathered from desktops, servers and networks to look for anomalies in user and
application actions.
For example, this approach is now being used in new enterprise firewalls to more effectively
keep “bad stuff” out and “good stuff” in. Machine learning techniques dynamically build and
27 Cyber Warnings E-Magazine – June 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
