Signs of Shift to Intel-Driven Cyber Defense

This post is also available in: עברית (Hebrew)

The first two minutes of a cyberattack are crucial – that’s when the attacker sets up camp and downloads additional malware to dig in and establish a firm foothold in the victim organization’s network. But traditional malware detection technologies typically can’t keep up with that tight of a deadline, nor are the network and endpoint security systems in sync to catch it that quickly.

It’s no wonder many organizations don’t learn they’ve been breached for months or even years after the fact, as was revealed in Verizon’s new Data Breach Investigations Report, with close to 70 percent finding out from a third party that they’ve been hit. Some security vendors are taking a different tack and making the endpoint – the typical initial target – better capable of quickly detecting and thwarting damage, such as bot infiltrations, stolen data, or widespread malware infections, amid the new reality that attacks today are basically inevitable.

Kelly Jackson Higgins writes in Security Dark Reading that the newly announced integration between Bit9’s endpoint security software with FireEye’s and Palo Alto Networks’ threat detection products is the latest example of a shift toward making the endpoint a key piece of the defense. Palo Alto Networks struck a similar deal with Mandiant earlier this year, and CounterTack in February rolled out what it calls a honeypot for the endpoint for catching and gleaning intelligence from attacks on client machines.

Security experts say security has been a soloed operation for too long, and any interoperation or integration among various vendors’ products can help — such as sharing information between the network and endpoint security tools. Not only that, but most large organizations have been focused on putting out fires rather than really understanding what attackers are after.

“If you have these advanced network defense tools and they don’t have their own play on the endpoint, nothing can identify the target,” says Scott Crawford, managing research director, security and risk management, at Enterprise Management Associates. “Why not engage what you have on the endpoint?”

Bit9’s new Connector tool for FireEye and Palo Alto was the result of pressure from large customers who have products from all three vendors and were looking for better integration among the tools and better intelligence on attack attempts against them.

iHLS – Israel Homeland Security

Attackers increasingly have benefited from, and ultimately capitalized on, the way endpoint and network security have traditionally operated separately. “The reality is that we have gotten to the point where both network-based defense and endpoint defense need to evolve together. One without the other creates a gap where things can sneak through,” says Wade Williamson, senior security analyst with Palo Alto Networks. “If you have perfect visibility into the network, you still need to correlate with what is going on at the endpoint.”

Meanwhile, large enterprises are gradually shifting gears from operational security mode to intelligence-based security. Take insurance giant AIG, which is running a small but soon-to-be-expanded deployment of CounterTack Scout endpoint honeypots in its U.S. data centers. Paul de Graaff, the former global CISO for AIG, says a year-and-a-half ago, the concept of an intelligence model for security was “a foreign concept” and intelligence was all about SIEM.

AIG was looking for better visibility into threats and wanted to employ a more intelligent security architecture. “We came out of the financial crisis, and the security side, we started centralizing and visualizing a lot of the IT infrastructure, and it became apparent there were things happening to AIG and we didn’t have as much visibility as we wanted,” de Graaff says. “It was not so much targeted stuff – we saw a lot of generic [threats],” he says.

AIG now can analyze a malware sample that hits the endpoint and discern what the attackers are after, de Graaff says. “We make that decision very quickly. We try to fence them in so they can’t exfiltrate,” he says.

The key selling point is that that kind of intel helps the company better plan its technology investments based on risk, he says. So far, the main threats AIG has found with the CounterTack endpoint honeypot is attackers searching for customer information, he says. But like many other big companies, AIG eventually will be the target of cyberspies as well, he says.

“You can’t stop attackers from getting in. Once they do get in, there are so many things they can do,” says Neal Creighton, CEO at CounterTack. “The attacker does all of the initial beachhead work in the first 120 seconds,” so stopping them within that time frame is ideal for mitigating the damage and preventing theft of data, he says.