Detection | Prevention | Intelligence
For people paying attention to how the security market is evolving, we are witnessing some fairly dramatic shifts in technology and market. For far too long, enterprise network security meant three primary activities: patch management to close known vulnerabilities, firewalls/web proxies/VPNs to keep the bad guys out and the enterprise users in line, and updating signatures on end points to determine if users’ machines were infected with a known threat. What’s satisfying about these approaches is they can be incorporated into a process and compliance regime, put on daily and monthly checklists, and put on employees’ individual management-based objectives (MBOs). What’s fundamentally unsatisfying about these approaches is they don’t stop most of the attacks you see against enterprises today.
While patching the OS has become automated and highly efficient, patching enterprise apps such as Java, browsers and Adobe has become extremely challenging for backwards compatibility reasons. Most enterprises simply can’t or won’t upgrade their browsers, Java, and Adobe software because older enterprise apps and workflows break with patched and upgraded versions of these software. Unfortunately, these are the very same vulnerabilities exploited in the vast majority of all attacks.
Protecting the network by using a perimeter security model is rapidly becoming obsolete with a mobile workforce, distributed offices, and BYOD. In other words, as the perimeter has collapsed onto the user, enforcing security at corporate network perimeters has become increasingly challenging. Finally, signature-based approaches to detecting threats leaves security teams days and sometimes months behind the adversary’s moves.
The folks that recognize the failings of the historic approaches to enterprise security mentioned above are beginning to adopt a threat-based model for defending their network and users. A threat-based approach recognizes that not all vulnerabilities can be closed nor are material. Threat-based security focuses on the intersection between the threats your organization faces and its vulnerabilities exposed to that threat.
The most significant security gap in terms of intersecting threat and vulnerability today is the user. The user is that fickle wetware on the business end of the keyboard that is prone to clicking on links and opening attachments sent from entities they don’t know. In security, we often focus our efforts on securing things like “the network” while ignoring our largest attack surface – the user – at our own peril. As a result, a single misguided click can compromise not only the user’s machine, but also the entire network. Ask an enterprise security professional what the biggest risk is to the enterprise, he or she will often say – “Stupid Users!”
In reality all of us are susceptible to a good spear-phish – one that is compelling to our job, interests, and desires. Falling for a spear-phish doesn’t make us stupid, just simply human. The conclusion we draw from this is we need User Protection solutions that will protect the user from his or her own actions.
Ask the same security professional what they do about the “Stupid User” problem, they say “Education through posters and training…” while sighing at the ineffectiveness of these approaches. Bringing awareness of the threats users face makes good sense. Depending on users to make the right decision every time they open an email is folly. We know that strategy doesn’t work.
Integrating Threat Based Security with User Protection
We know that vulnerability-based defenses by themselves are ineffective, and that a threat-based model for defense leads to efficient and intelligent allocation of limited resources. We know that users are the largest and most attacked surface in the enterprise today, and that training, while important, doesn’t go far enough. To address these shortcomings, Invincea announced today that it is combining its User Protection solution, Invincea FreeSpace™, with Threat Analytics from Invincea Management Service (IMS) to give the security team the tools it needs to understand the adversary’s moves while protecting users from their own actions.
Invincea FreeSpace™ is designed to ensure that when your users click on the wrong link, browse to a compromised site, or open a poisoned document they are protected from these threats. Invincea FreeSpace™ allows users to interact with untrusted content from the web or email by implementing an invisible container around your web browser and document editors so that if a user does mistakenly click on a malicious link or open a poisoned document, he or she is protected from its harmful effects. Further, Invincea FreeSpace™ collects the forensics from each virtual infection and sends it to IMS for further analysis. The threat forensics, including the captured malware, its artifacts and network behavior, are then compared to threat intelligence databases to understand what is known about the threat – all in moments, not days, weeks or months. With this ever growing partnership in the threat intelligence community, we are now able to convert our biggest liability (as far as enterprise security goes) – our users – and turn them into assets that reveal the adversary and his methods in real time.
Left of Boom
The enterprise security teams that have freed themselves from antiquated security regimes mentioned earlier are creating adaptive processes to the threat and adopting proactive defense technologies – ones that do not require foreknowledge of the threat.
The stated goal for many enterprise security teams today is to reduce the time of unchecked network compromise from weeks and months to days and minutes. Many are now incorporating Mean Time To Intrusion Detection (MTT-ID) and Mean Time To Incident Resolution (MTT-IR) as metrics and goals for the security team. The general trend here is what the military (and intelligence community) calls going to left of boom, in terms of timeline. In military parlance, boom is when the bomb (typically an IED) detonates. Combat medicine is focused on keeping soldiers alive right of boom. Military intelligence — no jokes please — focuses on getting left of boom. Much like an ounce of prevention is worth a pound of cure, getting to left of boom means preventing irreparable damage and not making headlines for the wrong reasons.
As an industry, we need to shift our focus from right of boom and triaging damaged systems to left of boom with a threat-driven approach to countering the enemy’s moves before they cause damage. Turning our biggest weakness – users – into an asset to glean intelligence about the adversary in real-time puts on the path to left of boom.
Try Invincea today to relinquish antiquated technologies and obsolete processes and push the adversary back on his heels.