Are You Prepared For Advanced Persistent Threats?

The security market has reached a critical inflection point. Costs continue to escalate, complexity is increasing and, critically, the reality of Advanced Persistent Threats (APT) is undermining legacy anti-threat strategies.

The result is a shift from threat focused controls to target focused visibility and an evolution from prevention to increased detection and response. APTs are complex, long lasting and typically comprise many, many small events over months. Without an integrated approach to identify the relationships between events and changes, organisations will be left wide open to vulnerabilities and threats.

Slow Burn

The security threat is changing, fast. The recent emergence of APT, such as Operation Aurora, demonstrates the growing shift from specific, short term risk events to subtle, long term attacks. For those tasked with delivering operational security, APTs change the landscape and make life significantly tougher.

Unlike traditional malicious attacks which occur over a number of minutes (days to weeks at most), and result in a demonstrable system payload, APTs are far more subtle. There is no single event to indicate compromise; the threat is made up of a number of small activities occurring over a long period of time, often up to 18 months.

The challenge facing security experts is that many of these small activities will not raise any alerts. APTs often include a degree of social engineering, with malicious individuals getting information from phone calls or looking up web addresses as a starting point for finding creative ways to gain access to systems or use people within the organisation to plant malware components within the system.

These small actions will not stand out from the millions of events occurring on an IT infrastructure every day– they get lost in the crowd. And even if they are noticed, they may be viewed as low risk when compared with traditional security threats. But in the era of APT these low key events need to be considered differently. Is there a trend in activity? Could this action actually provide a route into other company assets, such as financial information or intellectual property? Is this small event part of a larger scheme?

Unacceptable Risk

With each attack comprising potentially thousands of tiny events creating only a small system payload, it is extremely difficult to detect APTs with traditional monitoring methods. Typically these solutions, from log management to intrusion detection, anti-malware and anti-virus are siloed, owned by different security people or teams. And while working effectively to combat traditional threats, this highly dispersed approach plays into the hands of the APT protagonists: organisations will only spot suspicious cross-discipline trends or activity by chance.

Furthermore, many organizations rely on security solutions that are not designed to meet the APT risk. Traditional log management tools simply collect and store logs to meet audit requirements, but fail to provide the intelligence needed to flag up possible APTs. Existing SIEM systems, meanwhile, offer intelligence, but without the performance and speed organisations need to log billions of events a day.

Critically, the time horizon for APTs is fundamentally different to those of traditional cyber attacks. Using a standard log management system a suspicious log event may not be repeated for hours, even days – and it is therefore highly unlikely that any security expert would connect these events.

Replacing Luck

So how can organisations overcome this unacceptable reliance on luck? The key is to systematically and in an automated way look at every event across multiple security solutions. Irrespective of system or data ownership, a robust information security programme now demands a way of correlating and assessing what the events mean.

By taking a different approach, which integrates event and change information in context, organisations gain unparalleled visibility across their infrastructure. Sophisticated threat patterns can be recognised instantly, enabling organisations to respond quickly and keep their data safe. With the latest generation of SIEM tools that combine event and change data without compromising on intelligence, performance and scalability, organisations have access to the security solution required to respond to threats quickly and maintain continuous compliance.

Due to the length of APT activity, it is also essential to be able to undertake historical analysis. Rather than moving data out of the core system after 90 or 120 days, organisations need to be able to retain the data for at least a year and retrieve it in an efficient and timely manner to undertake long term analysis using these new tools.

Activities can be measured in a repeatable and policy based way against known threats, using dynamics and filters to further improve APT risk assessment. And, as market knowledge improves, organisations can add algorithms and correlation rules to improve recognition capabilities for known persistent threats, driving down the APT risk further.

Cost of Breach

Every organisation recognises the cost of a security breach to brand, reputation, and customer confidence. But that cost increases significantly, the longer the breach remains undetected. Underplaying the APT risk adds considerable business risk and ignoring APT’s is inviting trouble.

APTs may be a new form of threat, its public impact to date limited to a few large organisations. But let’s be clear, the security threat landscape is changing. Organisations need to make a fundamental shift from investing in specific security solutions to deal with suspicious threats towards a top down, risk based approach.

Traditionally organisations have picked a technology control and then worked out how best to use it to protect data. But this approach will not work against APTs. It is only by identifying the critical and sensitive data up front and understanding the risk across the infrastructure that an organisation can then determine the best control infrastructure to protect that data.

And underpinning this approach has to be a single, integrated solution that provides visibility across the entire security estate, delivering the rapid insight into suspicious patterns and rafts of events to rapidly identify and prevent an APT attack.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Dwayne Melançon joined Tripwire in 2000 and leads the company’s Log Management and SIEM business unit. Prior to joining Tripwire, Dwayne was Vice President of Operations for DirectWeb, where he was responsible for product management, logistics, electronic supplier integration, customer support, information systems, infrastructure development, and other business operations. Before DirectWeb, he ran Pan-European Support for Symantec, managed callcenter operations for several of Symantec’s leading product lines, and spearheaded the development of productivity tools and processes. Dwayne is certified on both IT management and audit processes, holding both ITIL and CISA certifications.