An integrated approach to the security threat
Integration makes it practical and possible for every security control to leverage the strengths and experiences of the others around it, says Raj Samani
Attackers today use multiple techniques to compromise vital data assets or systems. These targeted, multi-phase attacks consist of a series of steps: reconnaissance, scanning for vulnerabilities, exploitation, and, finally, exfiltration of corporate data. As attacks grow in complexity, precision, and volume, yesterday’s approach to Threat Intelligence (TI) is no longer adequate.
Investigating targeted attacks is no easy task. The dynamic behaviour of the attackers, the greater variety and availability of local and global threat intelligence sources, and the diversity of TI data formats can make the aggregation and digestion of TI into security operations centre (SOC) tools more challenging than ever before. A mixed-vendor environment adds to these challenges.
The case against point solutions
Sharing threat intelligence alone will not necessarily result in sustainable corrective action and prevention. Security analysts can quickly become overwhelmed with too much information. Most security teams are engaged in an exhausting manual process of analysing millions of security events and suspicious files in an effort to piece together a mountain of data and try to reconstruct the targeted attack. Ultimately, this impairs the thoroughness and speed of the response process. With a less-than-complete comprehension of threats, security teams are struggling to contain attacks in a timely manner.
These challenges result from insufficient integration between inspection, intelligence gathering, analytics, and enforcement. Silos of data and point controls complicate operations and increase risk. For example, the data each control generates and the context of each situation are poorly captured and seldom shared. A firewall may block a payload from an untrusted domain because it knows about communications, not malware. It will permit that payload coming from a trusted domain. Similarly, anti-malware could block unknown payloads from known bad addresses if it knows to think beyond the payload or look within the payload to consider IP addresses.
Unintegrated security functions like these keep organisations in a firefighting mode, always reacting and pouring human resources into each breach. Process inefficiency exhausts scarce investigative resources and lengthens the timeline in which data and networks are exposed to determined attackers. These islands of security products, data sets, and operations give sophisticated attackers ample space and white noise in which to enter, hide, and persist.
An integrated approach to threat defence
Integration improves effectiveness, as active sharing of data and accelerated cross-control processes make it practical and possible for every security control to leverage the strengths and experiences of the others around it. It is an adaptive threat prevention model that is quickly replacing traditional, unintegrated architectures. Rather than treating each malware interaction as a stand-alone event, an adaptive threat prevention model integrates processes and data through an efficient messaging layer. This provides reinforced levels of inspection and analysis informed by expanded forms of intelligence and connects end-to-end components to generate and consume as much actionable intelligence as possible from each contact and process.
Protect, detect, correct
The shift to adaptive threat prevention helps overcome the functional fences that shackle detection, response and improved prevention. This transformation requires IT teams to adopt a protect-detect-correct approach. Protection involves enabling users to be more productive while blocking the most pervasive attacks and disrupting never-before-seen techniques and payloads. Detection requires the gathering of local and global security intelligence, integrating an array of behavioural and contextual analytics, and leveraging centralised management for better insight, more effective threat identification and faster investigation. Correction should streamline the threat defence lifecycle by facilitating triage, investigation and remediation, all while learning from security incidents and continually evolving.
By unifying protection, detection and correction with real-time centralised management into an adaptive feedback loop, known as the threat defense lifecycle, security then evolves and learns in an iterative cycle that improves over time. This model helps organisations become more effective at blocking threats, identifying compromises and implementing remediation as well as countermeasure improvements more quickly.
Raj Samani is VP & CTO, EMEA, Intel Security.