Adaptive Security & Threat Intelligence Sharing - Current Trends in Threat Defense
ABSTRACT
With a significant increase in the security burden due to developing trends - IOT, Cloud etc, traditional static security methods are no longer sufficient to effectively prevent/respond to an attack. Thus, Security solutions need to continuously evolve in order to be able to adapt and respond to a complex and constantly changing environment. This can be achieved by applying different techniques like Deep Learning (AI and Machine Learning techniques to "learn" from the consequences of past events in order to help predict and identify cybersecurity threats), UEBA (User and Entity behavior analytics, an automatic identification of deviations from normal user behaviors, to uncover previously hard to detect threats) and Cyber Threat Intelligence Sharing (sharing Threat Intelligence and collaborating with peers, vendors and partners using standards like STIx and TaxII). As a consequence of using these, organizations become more proactive about securing confidential information making it difficult for the hackers.
INTRODUCTION
Securing the information systems of an organization is an ongoing endeavor that needs to evolve over time in response to trends in the threat landscape. As the systems are growing in scale and complexity, threat actors also are growing in number with their means, methods and motivations evolving. Attack exposure is growing daily with the developing trends like the Internet of Things (IoT - multitude of devices and systems connected and communicating online) and systems transitioning from on premise to cloud, leading to a significant increase in the security burden. This necessitates a need for sophisticated way of dealing with threats.
With this, our traditional security methods including intrusion defense systems (IDS), intrusion prevention systems (IPS) and firewalls that use static methods of just examining log files, monitoring checkpoints and responding to alerts is proving to be an inadequate approach. In order to effectively prevent an attack from occurring and to potentially respond to a breach in milliseconds, security solutions need to continuously evolve by creating a feedback loop of threat visibility, detection, and prevention that consistently becomes more effective.
This is necessitating the organizations to adopt - Adaptive Security approach and Cyber Threat Intelligence Sharing.
Adaptive Security - An approach to safeguard systems and data by recognizing threat-related behaviors rather than the files, logs and code used by virus definitions. The essence of the approach is the ability to adapt and respond to a complex and constantly changing environment.
Cyber Threat Intelligence Sharing: Cyber threat Intelligence is the intelligence acquired by the organizations when threat information is collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information. Data breaches on the current scale are an emergent menace, thus the future of Security Is Collaborative and Cognitive. Information-sharing forms one of the main pillars that will allow the organizations to better respond to the general cyber threat.
Emerging Techniques & Approaches:
Deep Learning:
Deep Learning encompasses a number of technologies, such as artificial intelligence and machine learning that has the ability to "learn" from the consequences of past events in order to help predict and identify cybersecurity threats. According to a report by Webroot, AI is used by approximately 87% of US cybersecurity professionals.
The Machine Learning use cases for security can be divided into two groups:
Supervised Perspective: The problems where machine learning has made a difference. The two use-cases are malware classification/the classification of files and spam detection. These areas have greatly benefited from deep learning where it has helped drop false positive rates to very manageable numbers.
Unsupervised Perspective: The problems where machine learning has been tried, but will likely never yield usable results. E.g.: Detecting attacks from network traffic, because of problems like the inability to deterministically label data, the challenges in cleaning data, or understanding the semantics of a data.
In such cases, bringing in context for the data before applying ML algorithms or trying to solve smaller problems rather than a big problem at once may help.
UEBA:
User and Entity behavior analytics, is the automatic identification of deviations from normal user behaviors, to uncover risky and previously hard to detect threats. By understanding a user/entity behavior, potential risks such as shared user credentials, privileged user account abuse, geolocation and remote access anomalies can be highlighted. Organizations can find unknown threats that hide among the huge volume of security data that is typical in today's complex IT environments without heavy installation, maintenance or analyst oversight.
When focusing on protecting the digital enterprise from cyber-attacks, there are three critical capabilities every enterprise needs:
· Prevention – to stop the bad guys from getting in
· Detection – to spot the bad guys once they do get in (and they will if they’re determined)
· Response – to take appropriate actions when you find them
In order to detect user-based attacks, enterprises need a system capable of establishing a known baseline of identity characteristics over time, and then locate anomalies. That means establishing a baseline of the user’s device, typical locations that they work from, their typical behavior, and determining if how they are acting is typical or anomalous. If typical – they continue operating normally. If there’s an anomaly, it’s critical to prove that it really is them. The best way to accomplish this is with a step-up authentication. With this approach, a threat can be quickly detected and remediated which otherwise would take an analyst huge manual analysis cycles to arrive at also avoiding the false positives through an added authentication step.
Threat Intelligence and sharing using STIX & TAXII:
According to the 2015 Verizon Data Breach Investigation Report, 40% of attacks hit a second organization within an hour. Sharing threat intelligence and collaborating with the peers, vendors and partners, is not optional to protect the network.
For example, known malicious IPs can be entered into firewalls and blocked, known malicious domains can be black holed by DNS servers and malicious downloaded files can be identified by network monitoring tools, or included in system management tools to identify specific files or tools. You can configure SIEM systems to accept feeds to identify compromised hosts. The additional threat data from any subsequent investigation could be used to further analyze different systems and those shared with other organizations so the information can be put to use.
Earlier the information was shared in a haphazard way which made it difficult for the organizations to make use of. If intelligence could be meaningfully communicated among organizations – between our peers in the security industry, between security products inter-operating with each other, and by leveraging the communities that exist already – securing customer information becomes more effective.
This is where standards like STIX help. STIX TAXII or Structured Threat Information Expression™ and Trusted Automated eXchange of Indicator Information™ are community-supported specifications designed to enable automated information sharing for cybersecurity situational awareness, real-time network defense, and complex threat analysis. It is a set of specifications for exchanging cyber threat information to help organizations share information with their partners. Stix TAXii are emerging standards enable effective sharing of cyber threat data in automated ways between different products, people and organizations. STIX shines when we start looking to a future where we are sharing much more sophisticated intelligence and getting into the techniques and tactics of cyber-attacks.
STIX is paving the way for the ultimate vision: an open threat exchange between organizations and platforms.
As a consequence of applying these, we should see organizations becoming more proactive about securing confidential information. Malicious insiders and hackers will find their work more difficult. Stealing corporate data will take much take more time and effort than it did in the past while the overall chances of being caught will also be higher.
REFERENCES/BIBLIOGRAPGHY
Online References:
Books:
“Threat Forecasting” by Will Gragido; Iain Davison; John Pirc; David DeSanto
“Machine Learning and Security” by Clarence Chio; David Freeman
