Security researcher Michael Sutton is really concerned. He says most companies haven’t advanced their security strategies to keep pace with today’s threats—especially the most serious advanced persistent threats. He recommends a holistic approach that includes protection, detection and remediation.
Does your security strategy adequately address how to deal with advanced persistent threats (APTs)? Probably not—unless you have diligently kept up with threat trends and new security technologies over the past few years. Thanks to mobile and cloud computing, the traditional defense line at the perimeter is gone, and serious attackers are exploiting new weaknesses that didn’t exist just a few years ago.
I recently spoke with Michael Sutton, vice president of security research for Zscaler, to get his views on dealing with APTs. His company is a security cloud provider that scrutinizes more than 12 billion transactions a day for thousands of enterprises worldwide. That level of activity gives Zscaler some good insight on threat trends and the changing security landscape.
My conversation with Sutton started with his definition of “advanced persistent threat.” According to Sutton, an APT is a very specific kind of attack. “The ‘advanced’ part means the attacker has a full toolkit at his disposal. It’s not just zero-day code. He is going to use known threats and unknown threats, and he will leverage social engineering. He’ll do whatever it takes to get inside a targeted organization,” Sutton says.
“The ‘persistent’ part means the attack is not necessarily measured in hours and days, but could be weeks and even years,” according to Sutton. “And the ‘threat’ portion of the term is really describing that this is not a mindless piece of code. There is a human element behind the threat and it is typically a criminal organization or even a nation-state with plenty of skills, knowledge, resources and financing behind them.”
I asked Sutton if most companies are well prepared to deal with APTs today. In a word, he says no. “As a security researcher, this is where I am really concerned. When we look at the average company, they are doing today what they did five and even 10 years ago. They haven’t really advanced their security protections. Sutton says there are two security staples that have pretty much 100% penetration -- host-based anti-virus and appliance-based URL filtering. That’s going to catch a lot of the obvious stuff but it is absolutely not going to catch the more advanced threats.
He attributes this lack of preparedness for how quickly the IT landscape has changed in recent years. A static environment is a thing of the past. Today we have BYOD, employee mobility and cloud applications. This means that traditional defenses that were built to defend corporate-owned, in-house, on-network devices and data stored on in-house servers are completely missing our style of corporate computing today.
“If you think about mobile devices like smart phones and tablets, we don’t have access to some of the controls we have leveraged before,” says Sutton. “You can’t really put anti-virus on a smart phone because the OS and battery life won’t support it. We see a lot of poorly coded apps that are vulnerable or have privacy issues. Mobile is still pretty immature and has a long way to go to secure itself.”
Sutton says our entire IT ecosystem has changed radically and the attackers have absolutely changed, too. Today’s APT attacks are targeted and stealthy, and they can go undetected for a long time. He says we need to move beyond anti-virus and URL filtering and approach IT security today from the standpoint of protection, detection and remediation.
“Companies spend 90% of their security budget on protection,” he says. “Of course we want to stop the attack, but the unfortunate reality of today’s world is you are going to have infected machines on your network. Zscaler has traffic from thousands of companies flowing through our cloud, and I can tell you that most companies are infected to some degree. Yes, we want to protect and defend against these attacks before they affect us, if at all possible, but we absolutely can’t ignore the detection side or the remediation side. We know we’re going to get some infections and we need to limit that damage as quickly as possible and isolate the problem and do the appropriate remediation steps. Enterprises need to adopt that focus.”
Here, then, are his recommendations on what companies should be doing in each of those three areas.
* Protection. Anti-virus and URL filtering are struggling to keep up with today’s attacks. It’s too easy for an attacker to modify a known threat to make it an unknown threat for enough time to slip past an AV engine or URL filter. For those reasons, we have to be doing full content inspection; we have to treat everything as untrusted. We have to be looking at all portions of our code.
Much of the Web is moving to SSL-only communication for privacy reasons. Sutton says, “If you have a security solution that doesn’t have the ability to sit in-line and be a man in the middle and decrypt that data and inspect it, you are going to miss a huge portion of the Web traffic that could carry attacks.”
We have to move beyond signature-based controls and utilize techniques like sandboxing and behavioral analysis. “That is going to be our best shot at catching a new variant, a new piece of malware or a new technique that we haven’t seen before,” according to Sutton. He says that behavioral analysis is no silver bullet but it’s a necessary component that is more likely to catch that long tail where the higher risks are.
* Detection. Companies need to be inspecting outbound traffic that would suggest an infection; for example, attempts to communicate with a command and control server. “When outbound traffic is attempting to reach a website, we can’t just check that URL against a blacklist of known sites because they change all the time,” says Sutton. “We need to inspect every part of that request to understand its behavior and characteristics and block it if it is suspicious.”
Visibility in detection is a big weakness for most companies, largely because we’ve deployed a bunch of disparate security technologies. The SIEM industry was created to pull all these log files back into one location, but Sutton says few companies have fully achieved that goal. Mobility also complicates the visibility challenge because companies don’t have a good way to capture traffic from employees who are working on their smart phones or sitting at a Starbucks with their laptop.
Another challenge is to take all that log data and turn it into actionable intelligence. A SIEM can certainly help here but most companies lack the resources and expertise to successfully utilize a SIEM. Managed service providers or cloud service providers can help fill this need.
* Remediation. Sutton suggests this is a step that companies aren’t prepared to do on their own. “Once you find something you need the ability to quickly quarantine and inoculate those infected machines. If somebody is outside of the office and you find they are infected, do you have the capabilities to quickly shut down and isolate that machine? You probably don’t want to immediately wipe that machine because you are going to need to do forensics on it. You need to figure out how and why it happened and again I think most companies just don’t have those capabilities,” according to Sutton. This is an area where outside expertise may be necessary.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. http://www.essential-iws.com) which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.