There isn't a security professional on the planet who thinks defending against cyber-criminals, nation-state attackers and other hackers is getting easier. The tools available to attackers are easier to access through online marketplaces on the dark web and corporate networks are increasingly interconnected and rely on third parties through cloud services.
As the network perimeter dissolves and new attack vectors appear, being able to protect, defend and respond to attacks is becoming more complex and requires a change from the traditional block and defend posture to a more proactive approach.
While the proliferation of end-points and external services we use has made our systems more complex, it has also delivered an opportunity. We can now collect data about what's happening from more sources, giving us the potential to learn more about the threats we are facing and how bad actors work.
This is critical. In the past, the first sign of an attack came when something went wrong. For example, if we look at a relatively common ransomware attack, the first sign of something untoward was a user reporting their system had been compromised – or a request to the help desk to help set up a Bitcoin account so the user can send the ransom to the attacker and unlock the infected computer.
But such an attack is prefaced by a series of other events. If those events can be captured, from the moment the threat is received through to the moment before it is executed then it becomes possible to stop the attack from causing damage.
That time from infiltration to execution is the dwell time. Attackers have learned to be patient, often waiting months from when they first breach a perimeter until they execute a malicious action. In the recently reported attack on Asus' update servers, the attackers stayed quiet for more than six months before detection.
How do we detect stealthy and intelligent attackers?
There are three key elements.
You need a lot of data. That helps establish a baseline level of activity that can be considered "normal" and the ability to detect anomalies that could indicate some sort of compromise.
For instance, an example of normal behaviour could be an accounts receivable team member logging into the network and the accounts system between 8am and 9am each morning. They work from home once or twice a week and occasionally, during peak periods, work on the weekend.
When the same user account logs in at 4:00am from Kazakhstan and tries to look in the HR system, that could be an indicator of a compromised account. Multiply that scenario across an entire workforce that may be distributed globally and the challenge of understanding "normal" becomes significant.
You need data science expertise to create models from that data. While humans are good at identifying potential unusual patterns, when the volume and velocity of data coming from hundreds, or even thousands, of end-points is aggregated specific expertise is needed to process the data and build artificial intelligence (AI) models.
Finally, all that data and those models need significant computing power. Once a threat is detected it is essential to move quickly to limit the damage and mitigate the risk of further attacks. That requires even more computing power.
We are at a tipping point where security information and event management (SIEM) systems are no longer enough. Although they do a good job of collecting log data from multiple sources, that data is only valuable if it can be used. That takes AI and computing power with algorithms created by data science experts.
The ability to collect that data, use it to automatically detect anomalies and react without waiting for human intervention is critical. It means you can channel your limited human resources to more challenging problems and not threats that have known patterns of behaviour and understood response actions.
Detection and reaction need to be part of the network design. AI systems need to learn as they work and focus on real malicious activity and not false positives in a way that doesn't impose operational and system overheads that impede business operations.
Very few businesses have the expertise to do this themselves. This means finding an integrated solution from a trusted partner that will work with your internal security and technology teams to determine where the real risks lie and focus on developing a solution that mitigates those risks without throwing up the distraction of false positives.
So when a local user account is suddenly used at an unexpected time from an unusual location, the system can detect the anomaly, lock the account and alert the requisite person so it can be followed up before a malicious act can take place.
Being able to do all this in a way that protects your business requires the right tools, expertise, computing platform and a trusted partner. Fortinet can be that partner.