IT security is a complicated issue.  However, the focus on what security can do, can’t do, and how it is perceived, ordinarily is narrow.  Generally, managers deal with security in silos.  When a threat exists or appears, the manager’s answer is to use a product as a defensive response, or to add a security policy/procedure to mitigate the threat.  From an IT perspective, this approach works just fine when dealing with a specific threat, but from a business perspective, it may not provide value to the enterprise.

From a business perspective, security is either considered a cost, with the only benefit being that money, or more likely an intangible asset, is saved through prevention of a security breach or by meeting some compliance requirement.  In the case of meeting compliance requirements, security is still considered a cost, and one you just try to minimize, as you do on insurance, electricity or rent. However, security costs should be considered a positive for an enterprise.  Security should enable an enterprise to run a function or service that wouldn’t be possible otherwise due to security concerns.  Indeed, there is another way to look at IT security that hasn’t been given much thought in the past. IDC, the market intelligence and advisory provider, suggests that security should be approached as a business benefit to the enterprise in competitive environments.

The point is that security can provide a business with competitive advantages. Security allows you to be better than your business competitors.  If you and your competitors must meet certain security standards, such as PCI, and if your business can do it more efficiently than your competition, a business can gain a competitive advantage.

Another competitor that an enterprise might not be aware of is an attacker searching for your data.  Attackers either want to steal your money, proprietary data, or protected information (e.g. credit card numbers).  They are competing for these assets, which you want to protect from disclosure, just as you protect your business specific information. Attackers may want your resources to secretly use your servers, email resources or storage.  The reason attackers have become competitors to businesses is that they are no longer independent hackers working alone. Rather, they are business entities motivated by profit.  An attacker ecosystem has been established that has divisions of labor and many elements that are being run as a business.  This “hacker economy” has the same goal as all businesses – to maximize profits.

IDC believes one reason the attacker ecosystem works is that the security industry perceives hackers by nature as “bad” or “evil.”  The security industry should move beyond this idea because this concept makes the security challenge much more difficult.  There is no discounting that there are still some people out there who are motivated by malice, but they are becoming rare.  Since many people still think of attackers this way, they are giving them much more power than they deserve.

No matter how many systems you put in place, you are not going to deter evil people.  They are going to continue to assault vulnerable targets and cause havoc.  However, if you think of the attacker as just another businessman (although an immoral one) you can now create a deterrent that is based on risk management, cost-reward and other business concepts.  With an evil hacker, you need to put up as many defenses as possible. In contrast, with a competitive attacker you need to implement best practices with a logical security posture that makes the cost of the attack greater than the value of the results.

When security is considered as a competitive endeavor, it’s possible to make logical proactive decisions, and not just be reactive.  It’s time for enterprises and security professionals to take on this challenge to use security to provide competitive advantages against all types of competitors.  The current economic environment is the perfect opportunity to stop looking for the boogeyman and instead look for a competitor.

The post Security as a Proactive Business Tool appeared first on Security Current.

How do you defend against something that’s never been seen before?  That’s the key question organizations struggle with.  A decade ago, the first victims of any worm or virus outbreak had difficulty defending against a brand-new threat, leaving resources vulnerable until the attack could be detected and signatures created.  Today the ultimate problem is the same, but the level of difficulty is considerably higher.  Attacks used to be massive and indiscriminate, trying to catch anyone that had the vulnerability exploited by the malware.  Once the new attack was discovered, one set of defenses could be deployed to neutralize the threat.  Organizations that were not exploited would receive updated signatures to allow their perimeter and endpoint defenses to thwart the threat.

The environment has evolved from quick smash-and-grab tactics which exploit targets of opportunity to one that has targets of choice.  Actors such as criminal organizations and nation states are interested in the long haul.  They create specialized malware, intended for a specific target or groups of targets, with the ultimate goal of becoming embedded in the target’s infrastructure.  These threats are nearly always new and never seen before.  This malware is targeted, polymorphic, and dynamic.  It can be delivered via Web page, spear-phishing email, or any other number of avenues. The ultimate goal is typically data exfiltration, which lends itself to a low and slow approach where attacks can go unnoticed for long periods of time. In the example of the Shady RAT attack, intrusions went unnoticed for years. The desktop is typically not the ultimate target for an attack, but rather an entry point from which to escalate privileges and move laterally throughout the target organization, all without being detected. When coupling zero-day exploits and zero-day malware, attackers have an enormous head start against traditional defenses.

While methods vary, the commonality of these attacks is they are created to avoid detection by mainstream security technologies, such as antivirus, firewalls, and content inspection gateways. Following the emergence of these specialized threats, a new category of security technology aimed at detecting, analyzing, and preventing these threats has emerged.  IDC is defining this market as Specialized Threat Analysis and Protection (STAP).  Products within this market must use a predominantly signature-less technology (i.e., sandboxing, emulation, big data analytics, containerization) to detect malicious activity. These solutions can be based at the network level, on the endpoint, or both, and scan both inbound and outbound traffic for anomalies including botnet and command and control traffic. This market also includes products that allow for the reverse engineering and forensic analysis of discovered malware.

This new category leverages a variety of techniques to collect information around behavior, communication, activity, reputation, and other factors in order to detect the seemingly undetectable.  Many of the products in this category attempt to solve the same problem (or some aspect of the same problem) by leveraging a different core technology.  IDC puts the products into three general categories:

• Virtual sandboxing/emulation and behavioral analysis are increasingly being deployed to detect advanced malware. Since the targeted malware is designed to avoid signature based defenses, determining how the file will behave becomes increasingly important. Suspicious files can be sent to a virtual environment (either locally or in the cloud) where activity is analyzed to determine if registry keys are modified, processes are changed, or unexpected outbound communication is attempted.  Finally, network traffic can be monitored for anomalous behavior, such as communications with command and control servers or with other resources on, or segments of the network that are outside the bounds of normal activity.
• Virtual containerization/isolation addresses the threat of advanced attacks from the endpoint. Solutions that follow this framework essentially forgo trying to prevent malware from breaching the organization but work to prevent malicious activity by limiting Internet connectivity or ration system resources.  Applications and tasks are segmented and verified.  When malicious activities occur, the segmentation can be locked down to prevent the malware from spreading or “phoning home.”  Eventually the malware can be removed from the environment and evaluated fully.
• Advanced system scanning also focuses on the endpoint, but rather than segmenting resources, lightweight agents examine system behavior for signs of malicious activity. This can be done by watching the operating system for registry modifications, questionable processes, or other signs, or by analyzing the actual physical memory for malicious activity. These solutions are designed to be lightweight so as to not impact performance and retain a stealthy posture on the device to prevent the malware’s own stealth defense mechanisms from kicking in.

When dealing with advanced malware there is no magic bullet.  However solutions must be put into context on what they provide.  They need to be able to identify the malware as quickly as possible in order to limit the damage.  The deployment of the products must center on the discussion of protecting data and critical assets.  The safest course of action is to assume that a breach will occur and determine how best to limit the damage.  As is often the case with security, the best defense is multilayered, and STAP is no different.  The best solution is a combination of technologies that focus on preventing malware from entering the network, monitor internal traffic for lateral movement and egress traffic for command and control communications as well as data exfiltration, and leverage strong forensics capabilities to facilitate quick remediation. However, the deployment of that combination of technologies would be incredibly expensive, so a thorough evaluation of the existing infrastructure is necessary to determine what type of deployment would be most efficient at protecting the largest number of resources and limiting the most exposure.

Enterprises must not consider STAP as an immediate replacement for existing security technologies. Rather, STAP should be viewed as an evolution of the layered security, or “belt-and-suspenders 2.0.” When used in concert with the existing security infrastructure — IPS, firewalls, anti-virus, Web/email gateways, and endpoint protection suites — STAP can help decrease infection rates by identifying the unknown before it becomes a problem.

The post Defending Against Custom Malware: The Rise of STAP appeared first on Security Current.