The Department of Defense (DoD) recently admitted that when it comes to cybersecurity, our nation’s defenses are broken.
The DoD acknowledged this in its end-of-year memorandum, when it stated, “Less than 0.1 percent of the 30 million known malicious intrusions on DoD networks between September 2014 and June 2015 compromised a cyber system.”
While that may sound respectable, it is actually no good. When there are 30 million malicious intrusions, a hit rate of 0.1 percent still amounts to tens of thousands of successful attacks. And as many government and private sector organizations know, it only takes one successful attack to potentially harm millions of people.
Attackers are constantly raising the bar of sophistication, which means the security measures needed for defending have to surpass the hackers’ own intelligence. Next level security protections must not only catch threats, but provide the ability to analyze them as well.
Currently, companies spend more than $5 billion on traditional security measures such as anti-spam. Yet this type of security falls short when it comes to thwarting advanced attacks.
The reason is because advanced hackers do not penetrate an entire security system at once. Rather, they typically find a single weak spot and exploit it to gain access to the network. Occasionally this process involves tricking a legitimate user.
Once inside, the hacker can tunnel into other systems. If they go undetected for long enough, the attacker can successfully breach the systems that contain the most valuable data.
To protect against these types of advanced threats, security professionals must have proactive visibility into what is happening at every endpoint. This enables them to identify “indicators of compromise” (IOC) Investigating endpoints and conducting a triage on any and all information makes it possible for security analysts to determine whether their organization has been breached.
A key part of performing any inspection is determining whether an IOC is on an endpoint, and then understanding the behavior of the compromised endpoint. For example, is one endpoint spawning additional files that could be IOCs? Is the endpoint sending encrypted traffic outside the network? Did a detected IOC lead to a security agent being turned off or compromised?
This context is crucial because large networks have a tremendous number of events happening every second. A security product must be able to separate the standard events from the actual incidents, and identify the true threats within a vast majority of harmless traffic. And in the process, security administrators must have visibility into the activity in order to quickly understand exactly what is happening at each endpoint.
Once companies detect a pattern for a threat, they can create custom IOCs that can proactively prevent the hacker’s next round of attacks. It is important that the security analyst be able to control a compromised endpoint before, for example, malware spreads to other endpoints. This also ensures that a hacker making changes and hiding their tracks during an analysis does not taint an investigation of an endpoint.
It is somewhat jarring that tens of thousands of hackers are hitting their marks, despite their overall success rates being less than 1 percent. Fortunately, a system that allows security professionals greater agility in their work – from detection to inspection and analysis – means they have the visibility into endpoints that can stop many hackers in their tracks.