Fighting the outsider threat

Businesses need a full view of the network, not just what is entering it, but what is going on inside, says John McLoughlin, MD of J2 Software.

It is common sense that the sooner an attack is identified, the faster it can be contained and mitigated, limiting the fallout as much as possible. Businesses need to supplement their traditional security tools and protocols with skilled incident response teams, forensic tools and technologies that provide a full view of the network, not just what is entering the network, but what is going on inside.

In this way, companies will be able to identify if a breach is happening, what impact it has had, and identify ongoing data theft, and other malfeasance.

John McLoughlin, MD of J2 Software, says perimeter defences are no longer doing the job. "Today's threats use multiple vectors and means to achieve their aims, and while traditional security measures such as firewalls, DLP and IPS could possibly pick up part of an attack, they are woefully inadequate weapons in the war against advanced threats."

He says it should be noted although malicious software is used for the initial compromise, once inside a network, a cyber criminal will need legitimate credentials in order to move around the network, looking for the information they are after, and, in turn, exfiltrating that information.

At one time, advanced persistent threats (APTs) employed reverse back doors to access compromised networks remotely. However, these threats could be detected through their generation of consistent and routine network traffic. "Today's threats often include a passive backdoor and are more difficult to detect and protect against."

McLoughlin says dynamic defences are the way forward. "Only dynamic defences can hope to fight dynamic attacks. Thorough coverage is needed to fight attacks that happen in multiple stages, across multiple vectors."

The first step, he says, is identifying unusual behaviour on the network. Should anything raise the red flag, a good investigative tool will be able to make a call on whether a breach has occurred or whether it's a false alarm.

"It's not brain surgery," he says. "Organisations cannot fight against threats they cannot see. A solution that offers network visibility, covering all network communications, is needed to augment traditional security systems."

Anomalous behaviour must be detected, and a thorough audit trail of activity on the network must be kept, he explains. In addition, having some security intelligence in place, so that potential threats don't take days, or heaven forbid even longer, to analyse. "Make sure your security staff members have the right skills, and are able to examine threats, and make the right call. All incident responders should be able to properly investigate all attacks, and put together a comprehensive mitigation solution."

He adds cognitive and behavioural biometric controls that monitor how staff act inside an application will provide continuous authentication. "Techniques such as sandboxing, virtualisation and similar, will also help keep a businesses' most sensitive information separate from the main network. A determined attacker will find a way in, that is a given. This can take a matter of minutes, or the attack can involve weeks of planning, and preparation. APTs are highly targeted and sophisticated, and far more difficult to prevent than a garden variety malware attack."

A thorough, unified defence, that can not only detect anomalous behaviour, but analyse it, mitigate against it and limit the damage, is the best approach, he concludes.