Hackers are winning the battle against today's enterprise security teams. In the year since Target suffered a record-breaking data breach, it has become clear that the lessons learned from that attack have not been widely applied. At the time of writing, 636 confirmed data breaches have occurred in 2014, a 27% increase over the same period last year, with high-profile victims such as Home Depot, eBay, JPMorgan Chase, Dairy Queen, Goodwill and many others.
Why do the hackers keep winning and what can we do to stop them? It starts with rethinking the way we manage cybersecurity. Here are three ways that enterprise security teams can reverse the dynamic favoring hackers to stay one step ahead.
Assume the attacker is already inside the network
The attack surface as it exists today is not at the perimeter, but within the IT environment. Hackers used authorize credentials to plant credit card-stealing malware on many of Target's point-of-sale (POS) systems. In fact, according to the 2014 Verizon Data Breach Investigations Report, authorized credentials were used by hackers in 76% of all network intrusions. Once a user's credentials have been compromised, hackers can move laterally through a network completely undetected without triggering perimeter-based detection software.
Network intrusion is the shortest point in the attack chain, so if enterprise security teams are only focused on keeping hackers out, they are going to miss what is going on inside the network. It's become far too easy for hackers to gain credentialed access to enterprise networks. All it takes is one employee falling victim to a social engineering scheme for a hacker to gain a foothold on the network. It's likely the enterprise network has already been compromised (if not, it's just a matter of time), and hackers are merely probing the boundaries and limits of their access and looking for the highest value target.
Focus on user behavior, rather than malware
A report from PandaLabs found that 30 million new malware threats were created in 2013 – an average of 82,000 every day. There is no way to keep up with this rapid rate of malware creation, which is constantly evolving. Firewalls and anti-virus signatures are sufficient to stop common threats, but do nothing to stop an attacker with valid credentials impersonating a user. Instead, IT teams need to stay one step ahead of hackers by monitoring the credential use for suspicious user activity as a result of stolen credentials or malicious insiders.
This can be done by first establishing a baseline of normal user behavior to make it easier to identify anomalies. Does James in accounting often use the VPN to access the network in the middle of the night from halfway around the world with a device never seen on the network before, switch identities and touch systems no one in his peer group has accessed? There's a good chance his credentials have been compromised.
Eliminate the white noise
Security information and event management (SIEM) deployments are designed to alert security teams to potential threats. And they do, for the most part. The problem is that they're often buried in a haystack of false positive alerts. Target learned this lesson the hard way, when members of the IT security team missed the alerts notifying them of a breach in progress.
Not every alert is a threat, but SIEM systems as they exist today have no way of tracking an attacker using valid credentials across the entire attack chain while also accounting for the possible identity switch. Enterprise security teams need to be able to assign risk scores or other methods of qualifying alerts based on user session activity in order to see a clearer picture of the entire attack lifecycle. When this happens, the incident response team can jump immediately into mitigation, rather than chasing the needle in the haystack.
If enterprises want to protect against data breaches, their approach to cybersecurity must change. Focusing on the various points of intrusion is a losing strategy, as evidenced by the hundreds of data breaches that have occurred so far this year. The attack surface today exists at the network layer, and enterprises need to focus on identifying the suspicious use of valid credentials if they expect to win the battle against today's hackers.
- Nir Polak is CEO and co-founder of Exabeam