Published on May 7th, 2015 | by admin
Moving From Defense to Offense
Good sayings get recycled as the years go by. First attributed to Carl von Clausewitz, a Prussian general and military theorist, the saying, “The best defense is a good offense,” has also been associated with Coach Vince Lombardi and fighter Jack Dempsey. No matter where the credit is due, when it comes to protecting against cyber attacks, the saying couldn’t be more timely or appropriate.
The latest on the list of defensive tactics is purchasing insurance policies specific to cyber breaches and loss of customer data. While sounding good on the surface, insurance policies only protect against monetary loss and can’t address the issue of customer trust or public opinion. For companies that don’t maintain customer information, having insurance to recover from company specific data loss may seem like the safe bet. However, insurance premiums and deductibles may end up costing as much as recovering from the actual event. While premium costs are decreasing as more data is gathered based on actual data accrued from computer security incidents, it still only offers a monetary safety net.
Virus protection and hardening network entry points would also be considered a defensive action to protect against known threats. Having such protection in place is well worth the cost and provides a strong starting place when designing a protective posture. However, being purely defensive means only known threats can be stopped, which provides no protection or warning against the unknown.
What does offensive protection look like? First, it requires an understanding of what normal network traffic looks like, which is a highly specialized and in-demand skill. If you know what normal looks like, it becomes easier to identify anomalies that differ from the norm. Spotting anomalies, no matter how quickly, doesn’t necessarily mean your network has been breached. It does, however, alert you that something has changed, and that it needs to be investigated.
When retailer Neiman Marcus was breached, hackers set off thousands of alerts that were largely ignored by security staff for the eight months the hackers had access to the network. This is not to say the alerts were ignored on purpose. If you don’t have the means of digging through hundreds of thousands of alerts and identifying the high risk ones, which is nearly impossible for any company, you may as well not have the alerting in the first place. But the alerting part is easy because it’s built into most hardware and operating systems. The difficult part is categorizing the alerts, associating them to the incidents or situations causing them, and determining if any of them pose a threat to the network’s integrity. As straight forward as it sounds, breaches like the Neiman Marcus attack prove that’s not really the case.
To get to that truly proactive posture requires not only the ability to manage thousands of daily alerts, but an understanding of network traffic patterns and being able to tell which patterns are normal and which ones are outliers that need further investigation. By identifying abnormal patterns as soon as they occur, it becomes easier to limit or prevent a loss associated to a breach.
When hackers have eight months to roam freely on your network, harvesting your most valuable resources and data, they also make time to cover their tracks to impede any subsequent investigations. The only sure way to limit exposure is to go on the offensive.
SS8 provides the tools necessary to thoroughly understand your network and discover threats. SS8’s Communications Insight for Enterprise can track malicious behavior with no limits on timespan. It can see what devices and/or data have been compromised. It also has the capability to associate newly identified threats with historical compromises, including those that haven’t been activated yet. Once installed, the user-friendly dashboards and graphical interface provide the means to forensically analyze communication sets for patterns to accurately assess and rapidly remediate attacks.
While no tool can guarantee that a network won’t be breached, having the right tools in place can vastly limit the exposure. In the current climate where hackers harvest tens of millions of customer records from a single breach, can you afford not to go on the offense? Many companies will gamble that it won’t happen to them. But, as another saying goes, stated by FBI Director, James Comey: There are only two types of companies left … those who’ve been hacked, and those that do not yet know they have been hacked.
As long as hackers and criminals can make huge profits selling stolen data or harvested credit card information, attempts will be made to compromise your network. There is no way to stop it. The only way to curb these actions is by making it difficult to be profitable and by providing the level of detail needed to catch and prosecute offenders post-attack.