 |
The concept of layers of defenses is as old as human history. Just check out your local prison or castle and you will get the concept – walls within walls and locked doors within locked doors. Cybersecurity really is no different. Traditionally in cybersecurity this has meant two or more layers of firewalls with a DMZ in the middle or a user authentication step followed by a step-up authentication in the case when the previously authenticated user moved to do something particularly sensitive online. These are types of security layers. Given the increasing sense that what we are doing in the cybersecurity world isn’t working, where does that leave us? If you accept the fact that preventive controls will not keep out the more sophisticated, motivated, and resourced attackers from “attackerville”, then organizations are left with the need to do better with their monitoring and response oriented controls and practices. If you can’t prevent attackers from getting in, one had better be able to detect, investigate, and respond in an efficient and effective manner. But in the face of targeted attacks using custom built malware, Web shells, RATs, zero-day exploits, and with high success rates for spear phishing for legitimate user credentials, how detection and investigations are done needs to change. Using file hashes of previously seen files and rigid SIEM correlation rules to detect these types of attacks just won’t work. What are we left with for detection given these realities? What I call behavior-based security analytics. The final layer of an organization’s security defense depends directly on ability of security monitoring systems to detect anomalous or risky behaviors of “things”, including, protocols, executables, users, applications, hosts, and domains, to name some of the more obvious “things” for which anomalous behavior could good indicator of compromise. Security folks often think about monitoring user behavior as a way of defending against malicious insiders, but what I am talking about here is more general, improving our ability to monitor for risky behavior of more than just users, ultimately monitoring every element that makes up an enterprise infrastructure for risky behavior. In future blog entries I will delve deeper into this concept of behavior-based security analytics and how one can accomplish a lot of this today with security solutions such as our RSA ASOC solution. The post Is Behavior-Based Analytics the Final Layer of our Security Defenses? appeared first on Speaking of Security - The RSA Blog and Podcast. |
