While these products and strategies that we discussed in the first post of this three-part blog series might seem comprehensive (when taken as a whole), successful attacks are still common. Security experts point out that certain basic vulnerabilities are still not addressed.
In an IBM white paper titled Stepping Up the Battle Against Advanced Threats, the notion of the “three lost battles” is raised to point to why successful attacks are still common. The three battles noted there are User Education, Patching and Secure Code Development, and Malware Protection.
User Education – Users fall for a variety of ruses with potentially devastating effects. By falling for a spear phishing attack, executing a malicious attachment, or visiting a legitimate but compromised site, access to internal systems may be achieved. Once having internal access, detailed study of the internal security architecture is possible, resulting in an attack crafted to the specific vulnerabilities discovered. Many firms are lax in actually educating and testing employees with respect to their security awareness.
Patching and Secure Code Development – As the number of endpoints grows exponentially, so does the code base embedded within those endpoints. This results in a huge opportunity for “zero-day” exploits, i.e. those exploits that leverage previously un-discovered vulnerabilities in the code bases and therefore the likelihood that existing security measures will fail.
To quote from a recent article at sdxcentral.com, “British Telecom (BT) has deployed security from Cisco in its data centers to combat security threats that, according to the carrier, have increased 1,000 percent in the last 13 months.” In the article, Sam Rastogi, a Cisco senior product marketing manager, asks “Why would security threats increase 1,000 percent? It’s because of the massive growth in Internet-connected devices and the Internet of Things (IoT). There are simply more entry points for threats.”
Malware detection: blacklisting and behavior analysis – Given the exponential growth of code in the endpoints, secure code development in itself is not likely to thwart all zero-day attacks. It is here that predictive methods come in to play. For example, look for suspicious patterns, probes, or other activity that suggest an attacker might be trying to determine the code base in a target (remember that much of the code in the target is likely to have an open-source origin) and limit access to that device or raise an alert to the security administrator.
In fact, all three of the “lost battles” need to be surmounted and this presents a quite different product approach than point products targeted at specific phases of the attack. IBM has a buzz phrase for addressing this view: “Actionable Integration of Vulnerability Intelligence”, i.e. protection that spans the entire attack and provides a direct means of applying and enforcing it.
In conclusion, we’ve seen that there’s a disconnect between how some of the security product industry views the threat landscape, how the threats are designed and delivered, and how security experts view the most serious threats. Security breaches are growing at exponential rates and hiring demand for security experts is skyrocketing. In recent web post at The Telegraph (1/13/16) it was noted that demand for cyber security experts has quadrupled to a record high over the last year following data breaches at Talk Talk, Sony and Ashley Madison. This is not a solvable problem but rather an ongoing fundamental aspect of cyber existence that will require human and financial resources for the foreseeable future.