Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

12/27/2019
09:00 AM
50%
50%

Defensive Wish List for 2020: Faster Responses to Threats

Security professionals recommend technology to detect attacks that have already infiltrated a network.

As students head home for the holidays, Dan Basile knows they are taking their devices with them, and that worries him. 

The executive director of the security operations center at Texas A&M University System, Basile is responsible for keeping students' systems safe and universities' networks secure. It's not an easy job. "My workload skyrockets as the beginning of the semester, because all the students went home, got infected with everything known to man, and then brought it back onto my network," he says. 

For that reason, Basile's wish list is focused on detecting threats already inside the networks — a strategy that he highly recommends for businesses, even if they think they are managing every device connecting to their local networks. Detecting threats between machines inside the network — so-called "East-West" traffic — is crucial to being able to respond to threats quickly, he says.

"Having that East-West visibility is golden because the malware is already in the environment," he says.

As security professionals look to 2020, they have different threat profiles, so also different outlooks on what technologies they want. However, the common theme as the New Year approaches is the ability to react to threats quickly.

The plethora of systems that security analysts have to use is one factor that hampers response, says Richard Rushing, chief information security officer for Motorola Mobility. Security operations centers are currently laboring under the lack of integration between systems, and he sees as a top priority platforms that bring together all the disparate technologies back to a single workstation.

"We should be able to leverage the various APIs to pull all this content together, allowing the data to stay where it needs to stay — no one should need to be doing a massive data lake," he says. 

Here are some other technologies that made security professionals' wish lists:

The triad for faster response

While TAMUS's Basile aims to stop attacks before they infect the network, as the security director in charge of university networks he understands that it is not always possible. Students and professors want freedom to explore — and with that freedom comes risk.

So Basile is mainly focused on implementing two defensive technologies. Traffic inspection systems such as network traffic-analysis and application firewalls allow companies to detect when attacks are coming from systems inside the network perimeter. Endpoint detection and response (EDR) software allows him to quickly see attacks in progress and take steps to blunt any compromise. 

Because Texas A&M is helping Texas stand up an analysis and response center for the state, both types of technology are on Basile's required list for new municipal and county government offices whose security the center will be overseeing.

"As we are bringing on more counties and cities across Texas, we are requiring an EDR or EPP [endpoint protection platform] for every site," he says. "It gives me a better picture and it lets us respond in real-time to incidents."

Get the "R" right

Companies need to go beyond endpoint detection and response, says Motorola's Rushing. The problem is that the actual "R" in EDR and SOAR (security orchestration, automation and response) platforms today is very basic.

"You need to get to the actual R working," he says. "Generating an e-mail to open up a ticket is not accomplishing what I want it to do. You need to get a better response capability."

As more automation is being used by defenders, Rushing sees security teams moving away from simple playbooks and moving toward automated, yet managed, responses. While the actual logic is basic — "if this, then that," would be enough, he says — getting the automated response technology working would be a boon.

Defending against attacker automation

Yet defenders are not the only ones using automation. Attackers are adding automation and machine-learning techniques to their toolboxes, so companies will need to find ways to stymy their operations. 

Bots are one example of a threat that combines the two techniques and which are becoming a staple of attackers — from credential stuffing to advertising fraud, bots help attackers automate their operations. For that reason, bot management services will become a must-have for any company that has Web-facing applications or services, says Sandy Carielli, a principal researcher with business-intelligence firm Forrester Research. 

"Anyone that has a good deal of customer interaction — a static website,  any sort of online store, or if you are relying on advertising traffic — most of the sites on the Internet these days — will need bot management," she says. 

For companies that are paying for traffic — such as advertising or affiliate services — bot-detection products can remove non-human interactions from the mix, saving them money. Customers that use these services will put pressure on their suppliers, and as incentives change, organizations will pay closer attention to metrics of humanness, Carielli says.

"The interesting thing about bot management is the range of stakeholders," she says. "Bots attack e-commerce sites. They are doing ad fraud and credential stuffing."

Related Content

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:41:55 AM
Re: Detecting
Very much agree here. In many cases as businesses, we are hesitant to enact automated response because we are afraid it may block business practice. Which is a valid concern but if testing was more rigorously performed the chance of this becomes nominal.

This is why you will see that IDS is more heavily used when IPS could just as easily be enabled.

I may sound like preaching, but rigorous preliminary testing is the key to automated response. Automated response is the key to being ahead of the adversary.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:38:33 AM
Re: Getting R
Very much the next step above "Next Gen AV". I think theoretically this was the original goal when NGAV was announced but in never hit the expectation of an EDR.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:35:51 AM
Re: Response
Creating a ticket is more of a compliance and security best practice, but in application is not paramount in terms of response. 

It is helpful for logging and back tracking but as for in the moment triage and action I concur, not overly significant. 

That being said, I will always advocate for the creation of a ticket because it is a source of useful information.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:32:53 AM
Re: Bots
Yes, but I would say bots with correlation or an AI element are a more helpful. This allows for decisions to be made with a greater degree of scrutiny and expediency than what a person could produce.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/30/2019 | 12:30:46 AM
Re: Good and bad
Very true. They are like anything really. Regardless of how intelligent they may be, its really more an analysis of the human element that results in how they are used. 

Fire can be used to heat homes or cook food, it can also be used to destroy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:33:57 PM
Good and bad
Bots attack e-commerce sites. They are doing ad fraud and credential stuffing Bots are just a technology, they can be used for good or bad. It is up to us how to utilize them.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:32:09 PM
Bots
For companies that are paying for traffic such as advertising or affiliate services bot-detection products can remove non-human interactions from the mix, Another good point. Bots can really help where we do not have enough resources. Bots do not need to sleep so they will be very useful in cybersecurity.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:29:54 PM
Response
Generating an e-mail to open up a ticket is not accomplishing what I want it to do. You need to get a better response capability. This is really important. Response can not be about creating a ticket. What will we do so it does not happen again.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:28:12 PM
Getting R
Endpoint detection and response (EDR) software allows him to quickly see attacks in progress and take steps to blunt any compromise. I agree. Once detected what we do after that is critical al and defined the success of it. Response.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/29/2019 | 5:26:22 PM
Detecting
Detecting threats between machines inside the network Detecting is critical, more is needed on the defending part of it.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.