Nowhere to hide
How cyber-security needs to move from hopeful attempts at outright prevention, to real-time detection and neutralisation.
The recent high-profile credit card fraud suffered by one of South Africa's major banks, which netted hundreds of millions of rand, has once again thrust cyber security into the spotlight.
In the modern digital world, the threat landscape is rapidly escalating, evolving in new and unpredictable ways, and causing companies of all sizes and all industries to re-assess their current security practices.
Anton Jacobsz, MD of Networks Unlimited, a value-adding distributor of converged technology, data centre, networking, and security technology, notes that "we're now firmly immersed in the era of ‘total connectivity' – where people, computers and other devices are constantly connected, exchanging data and performing transactions.
"Quite simply, traditional signature-based tools are too static and easy to circumvent when pitted against the increasingly sophisticated attack syndicates seen in cases like the recent bank heist and other major breaches," he explains.
Bursting through networking doors into 100G era
Hoping to achieve outright prevention is an impossible goal, and the name of the game has now shifted towards quickly identifying the wide variety of breaches as they enter the network, and swiftly neutralising them.
Intelligence driven security
Jacobsz advises organisations to move towards what RSA Security have coined as "Intelligence driven security": a set of next-generation capabilities powering real-time threat detection and response, and optimising a firm's security resources (personnel, processes and technologies) to combat sophisticated attacks.
"Intelligence driven security is about getting visibility into every contour of one's attack surface, monitoring live activity with advanced algorithms that detect anomalies, and activating automated response processes to neutralise attacks."
In a recent whitepaper, RSA defined intelligence driven security across four pillars:
* Network and endpoint monitoring – that is constant and comprehensive, including capabilities such as full-packet capture and behaviour-based threat detection on hosts.
* Advanced analytics techniques – that can sift through massive amounts of information, such as network traffic, in near-real time to spot suspicious behaviours and accelerate investigations.
* Malware analysis – using methods that don't rely on file signatures, but go straight to the actual behaviour of executables, whether collected on the network or endpoints, to detect hostile activity.
* Incident detection and response practices – that align security personnel, processes, and technologies – allowing IT teams to spend less time on routine tasks and more time addressing the riskiest threats.
Guilty until proven innocent
The journey begins with comprehensive network and endpoint monitoring – to capture streams of forensic data needed to re-create cyber-crime scenes. Jacobsz explains that intelligence driven security systems forego ineffective methods of signature-based scanning, and rather adopt a "guilty until proven innocent" philosophy – trusting nothing and assuming that any programmes may be hostile.
This x-ray view of every endpoint is chased up with automated scanning for suspicious activity, and then merged with threat intelligence from various external sources – to assess threats from a 360-degree perspective.
"Today's custom-crafted attacks can easily overcome traditional threat detection tools, so moving from a passive form of threat detection, to a state of continual ‘high-alert' is the only effective security posture," he adds.
Intelligence driven security systems analyse these massive amounts of data traversing the network, scouting for signs of unusual behaviours – from people, applications, infrastructure, and communication. Their horizons extend beyond the traditional, explicit indicators (such as previously identified malware signatures or blacklisted IP addresses and domains).
As data relating to all networks and endpoints are available through a single management system that scales as required, using distributed computing architectures, security teams do not need to toggle between different security tools and applications.