Closing the Breach Detection Gap
The highly publicized targeted attacks carried out recently against some of the world’s largest retailers and banks represent the largest personal information leaks in the history of modern information technology.
How is this still happening despite the massive investment in new threat prevention products available from numerous vendors?
It is now clear that despite decades of development of solutions such as next-generation firewalls and endpoint protection systems, such products are incapable of stopping new advanced threats. Traditional threat prevention systems employ static, “hit-or-miss” detection techniques that have been proven incapable of accurately detecting all known malware, let alone unknown malware or attacks that don’t use malware at all.
While threat prevention systems are necessary for blocking well-known attacks, recent testing of leading next-generation firewalls and malware detection systems by a leading industry analyst demonstrates that these systems generally block only about 95% of known attack vectors and malware, and fare much worse against unknown malware, social engineering and other non-network based attack techniques. The problem is so challenging and pervasive that Gartner Research recently published a research note titled, “Malware is Already Inside Your Organization: Deal With It” (Firstbrook and MacDonald, 2014).
How can an executive team sleep at night, confident that their critical information assets are safe in the face of such an ever growing threat of advanced attack?
LightCyber™ is leading the industry in developing a new category of IT security infrastructure called Active Breach Detection systems, which hunt down the attackers that circumvent your legacy threat prevention systems. Active Breach Detection (ABD) systems dramatically reduce attack dwell time, limiting or eliminating the damage caused by attacks, and increase security operations efficiency with highly accurate, true positive alerts. ABD solutions employ significantly different attack detection methods compared to legacy threat prevention architectures developed for the last 25 years.
Active refers to the need to automatically and continuously pursue attackers that have circumvented your threat prevention infrastructure. As Gartner Research recommends, “…organizations must assume they are compromised, and, therefore, invest in detective capabilities that provide continuous monitoring for patterns and behaviors indicative of malicious intent” (Firstbrook & MacDonald, Feb 2014).
Continuous pursuit is required to find those sophisticated attackers that have circumvented your other security infrastructure, but automation is also required to scale tasks and eliminate the enormous false positive triage overhead generated by legacy monitoring technologies, which overwhelms the average security operations team.
The traditional IT security industry has focused overwhelmingly on preventing malware, which has been an unfortunate red herring – a necessary but insufficient requirement for protecting networks. ABD systems start with the recognition that malware and attackers have already infiltrated your network, and focus on finding breaches that have circumvented existing perimeter and endpoint security solutions. Successful breaches by committed attackers are such a certainty now, Gartner Research has proclaimed, “Malware is Already Inside Your Organization: Deal With It” (Firstbrook & MacDonald, Feb 2014).
Not only are legacy systems incapable of blocking all malware, they send alerts whenever they detect malware regardless of whether or not the malware has exploited a vulnerable host or been activated by an unsuspecting user. This results in massive volumes of alerts triggered by threat prevention and security information and event management (SIEM) systems. Triaging the huge volume of false positive alerts triggered by malware has overwhelmed the average security organization. It’s time to focus attention on known breaches, not just malware.
ABD systems leverage a totally novel way to hunt down attackers that don’t rely on static, “hit-or-miss” detection capabilities employed by legacy threat prevention systems, including signatures, sandboxes, event correlation or other single vector detection techniques. Instead of creating high false positive alert volume upon the mere presence of malware, ABD systems apply machine learning techniques to rich data collected from various networking and other IT systems to ascertain certain attack behavior. High detection accuracy ensures efficient and effective security operations, and stops attackers in their tracks.
The LightCyber™ Magna Platform is the industry’s first ABD solution that continuously profiles network traffic (using DPI), endpoint state, and leverages threat intelligence to find anomalous behaviors and confirm ongoing attacks. Magna automates the attack detection and validation processes that would typically require an army of security analysts, and employs proprietary Multivariate Adaptive Detection™ to ensure very high attack detection accuracy through the use of advanced machine learning techniques.
- CISO, A leading communications operator