Security Experts:

To Thwart Attackers, Measure What Matters

For years the security industry has been focused on measuring the percentage of blocked attacks as a means to demonstrate security effectiveness. And that still holds true. The more threats we block, the fewer we have to deal with inside the network. We must continue to innovate and work diligently to get that number as close to 100 percent as possible. But that’s the catch.

Even as more effective and sophisticated security defenses emerge to thwart attackers, it has become clear that point solutions have limited impact against well-funded cybercriminals using a combination of more evolved tactics to evade detection.

Exploit kits, ransomware, and advanced malware are just a few examples of these innovative tactics. Angler is one of the exploit kits to watch. It uses multiple attack vectors including Flash, Java, Microsoft Internet Explorer, and Silverlight vulnerabilities to get inside the network, as well as innovative techniques like domain shadowing [discussed in a previous column] to stay below the radar.

Ransomware has become highly lucrative for hackers as they continually release new variants to dodge defenses. Ransomware operations have matured to the point that they are completely automated through the anonymous web network, Tor, and use encryption to evade detection. And to conceal payment transactions from law enforcement, ransoms are paid in cryptocurrencies. Dridex is a quickly mutating campaign which demonstrates a sophisticated understanding of how to evade security measures. By the time a campaign is detected, attackers have already changed the emails’ content, user agents, attachments, or referrers. They launch the campaign again, forcing traditional antivirus systems to detect them anew.

The innovation race between attackers and security vendors will continue. And this dynamic creates a significant problem for organizations investing in security products and services while also struggling to deal with a shortage of skilled IT security personnel. They often obtain individual solutions to address security gaps, but that only results in a patchwork of solutions that do not and cannot work together. History has demonstrated that point solutions and weak operations will not stop waves of sophisticated attacks. To get a more realistic assessment of how well we’re doing at thwarting these types of attacks, we need to start focusing on another measurement that is equally, if not more important: time to detection.

Time to detection (TTD) is the window of time between the first observation of a file and the detection that it is a threat. This gap exists because of these tactics that cybercriminals use to slip through defenses as ‘unknown’ and later exhibit behaviors that are malicious. Based on various reports, the current industry standard for time to detection is 200 days. That’s far too long. By the time a breach is discovered credit card data, bank account information, credentials, you name it, have been compromised.

To catch these types of threats retrospective capabilities must become part of our defenses. These include the ability to identify malware that has already penetrated the network, see the file’s trajectory across the enterprise, quarantine affected devices, and remediate.

Retrospective security can only happen with an integrated threat defense that allows multiple security technologies to work together, sharing information to combat multifaceted attacks. An integrated threat defense not only accelerates TTD and response, but also enhances our front line defenses, updating policies as we uncover threats inside the network to eliminate the risk of re-infection.

Of course, stopping attacks in the first place is important. But accepting the reality that some attacks will get through, security effectiveness must now be measured by how quickly we detect a compromise and stop the exploitation of that attack.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.