|THE SMARTS TO MATCH WITS WITH APTs
Intelligent SIEMs give security staff the real time enterprise-wide visibility they need to see and combat all types of security threats. APTs are smart, low level and distributed, so higher intelligence is critical to effective defence. With a single console, an intelligent SIEM enables security personnel to see and check into alerts quickly, anywhere in the network at any depth. Staff can then run single queries against multiple sets of data, or carry out multi-dimensional analysis to gain full event correlation and contextualisation. As the Manager Information Risk at a Global Investment Group confirmed, the Huntsman® Liveview console is ‘the best tool for finding the proverbial needle in the haystack.’
Behaviour Anomaly Detection (BAD) provides an extra level of intelligence that’s particularly effective against APTs. BAD doesn’t rely on pre-defined parameters or known signatures; it uses intelligence to establish dynamic baselines of normal system and user activity across the network, operating system and application layer of the whole enterprise. BAD then monitors the system for any anomalous or suspicious activity which doesn’t match a familiar profile.
This means that unusual activity, even low level, distributed or disguised, could be quickly detected and alerted to security staff for investigation. Beaconing, for instance, is detected because it’s new and abnormal; similarly data protection leaving the network for unknown destinations is unusual so it’s detected, regardless of what channel or disguise the APT has chosen. BAD doesn’t just monitor activity for particular traffic patterns; it’s looking for anything unusual. In this way it detects spikes of network traffic from particular assets or specific protocols sending to IP addresses that are unfamiliar.
In a recent instance, BAD was responsible for alerting a major bank to data that was leaving its network for a previously unknown address. In this case, none of the other defences – antivirus, IDS or firewall – had raised an alert. Once BAD had done so, closer investigation found a Trojan which had evaded the perimeter defences, installed dummy ports in the firewall and was blinding the firewall team to the traffic going through it.
COULD YOU BE A TARGET?
APT attacks don’t always target high profile or large organisations. Sony may be both, but few of us may have known Epsilon or Silverpop before they were attacked. Current targets appear to be organisations with large customer databases. While credit card details are still sought for obvious financial gain, email addresses may have more appeal because they provide access for large scale spear-phishing campaigns, which could have far higher rewards.
Of course, APTs are still being used for e-espionage both industrial and commercial, and your company could be an attractive target. To find out how attractive, it’s worth asking some questions. Does your organisation:
• Handle or manage sensitive data?
• Have large databases with customer details?
• Control or manage high value assets or natural resources?
• Create or possess valuable Intellectual Property? or
• Sign significant international deals?
In short, if your organisation owns information of commercial value to others, has found new sources of oil or gas, or designs products that are the envy of your competitors, ‘then you will need to raise your game above traditional best industry practice levels to resist these attacks. These are persistent attacks, which are coming your way, and they won’t stop.’