This year began with an advanced persistent threat (APT) in Operation Aurora and the reality is that they are undermining legacy anti-threat strategies.
Dwayne Melancon, vice president of log management at Tripwire, claimed that the result of these threats, combined with reduced spending, is a shift from threat focused controls to target focused visibility and an evolution from prevention to increased detection and response.
The security threat is changing, fast. The recent emergence of APTs demonstrates the growing shift from specific, short-term risk events to subtle, long-term attacks. For those tasked with delivering operational security, APTs change the landscape and make life significantly tougher.
Unlike traditional malicious attacks that occur over a number of minutes (days to weeks at most) and result in a demonstrable system payload, APTs are far more subtle. There is no single event to indicate compromise; the threat is made up of a number of small activities occurring over a long period of time, often up to 18 months.
The challenge facing security experts is that many of these small activities will not raise any alerts. APTs often include a degree of social engineering, with malicious individuals getting information from phone calls or looking up web addresses as a starting point for finding creative ways to gain access to systems, or they use people within the organisation to plant malware components within the system.
These small actions will not stand out from the millions of events occurring on an IT infrastructure every day– they get lost in the crowd. Even if they are noticed, they may be viewed as low risk when compared with traditional security threats, but in the era of APT these low-key events need to be considered differently.
Is there a trend in activity? Could this action actually provide a route into other company assets, such as financial information or intellectual property? Is this small event part of a larger scheme?
With each attack comprising potentially thousands of tiny events creating only a small system payload, it is extremely difficult to detect APTs with traditional monitoring methods. Typically these solutions, from log management to intrusion detection and anti-malware and anti-virus, are siloed and owned by different security people or teams. While working effectively to combat traditional threats, this highly dispersed approach plays into the hands of the APT protagonists: organisations will only spot suspicious cross-discipline trends or activity by chance.
Furthermore, many organisations rely on security solutions that are not designed to meet the APT risk. Traditional log management tools simply collect and store logs to meet audit requirements, but fail to provide the intelligence needed to flag up possible APTs. Existing SIEM systems meanwhile, offer intelligence but without the performance and speed organisations need to log billions of events a day.
Critically, the time horizon for APTs is fundamentally different to those of traditional cyber attacks. Using a standard log management system a suspicious log event may not be repeated for hours, even days – and it is therefore highly unlikely that any security expert would connect these events.
So how can organisations overcome this unacceptable reliance on luck? The key is to systematically and in an automated way look at every event across multiple security solutions. Irrespective of system or data ownership, a robust information security programme now demands a way of correlating and assessing what the events mean.
By taking a different approach, which integrates event and change information in context, organisations gain unparalleled visibility across their infrastructure. Sophisticated threat patterns can be recognised instantly, enabling organisations to respond quickly and keep their data safe.
With the latest generation of SIEM tools combining event and changing data without compromising on intelligence, performance and scalability, organisations have access to the security solution required to respond to threats quickly and maintain continuous compliance.
Due to the length of APT activity, it is also essential to be able to undertake historical analysis. Rather than moving data out of the core system after 90 or 120 days, organisations need to be able to retain the data for at least a year and retrieve it in an efficient and timely manner to undertake long-term analysis using these new tools.
Activities can be measured in a repeatable and policy-based way against known threats, using dynamics and filters to further improve APT risk assessment. As market knowledge improves, organisations can add algorithms and correlation rules to improve recognition capabilities for known persistent threats, driving down the APT risk further.
Cost of breach
Every organisation recognises the cost of a security breach to brand, reputation and customer confidence. But that cost increases significantly the longer the breach remains undetected. Underplaying the APT risk adds considerable business risk and ignoring APTs is inviting trouble.
APTs may be a new form of threat, the public impact to date limited to a few large organisations, but let us be clear, the security threat landscape is changing. Organisations need to make a fundamental shift from investing in specific security solutions to deal with suspicious threats towards a top down, risk-based approach.
Traditionally organisations have picked a technology control and then worked out how best to use it to protect data. Though this approach will not work against APTs, it is only by identifying the critical and sensitive data up front and understanding the risk across the infrastructure that an organisation can then determine the best control infrastructure to protect that data.
Underpinning this approach has to be a single, integrated solution that provides visibility across the entire security estate, delivering the rapid insight into suspicious patterns and rafts of events to rapidly identify and prevent an APT attack.