This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
When it comes to enterprise security, it has long been established that prevention, though critical, is not enough. Prevention largely depends on knowing what is bad and priming security devices like firewalls and intrusion prevention systems with the rules necessary to keep bad stuff out. The problem is, something can be bad but nobody knows it yet, so there’s no rule to put in the firewall. An attacker’s damage can be done long before the rule is created.
If an intrusion can’t be prevented, it must be detected. Cybersecurity solution vendors have developed innovative ways to detect malicious or simply suspicious activity within an enterprise: user behavioral analysis, deception, digital fingerprints, and so on. Tools like these typically span the network to look for “unknown unknowns” that demonstrate some characteristics of being bad, although a definitive determination hasn’t been made yet. Usually a security analyst must evaluate the situation to make a determination.
Good cybersecurity tools are frequently updated with the latest crowd-sourced intelligence of what is currently known as bad; for example, an IP address that is used for command and control (C&C) communications. That intelligence then goes into prevention and detection tools to operate on current network traffic and activities.
Sometimes a security tool with DVR-like capabilities can look at a few months of stored network packets to ask the question, “Did this newly identified bad thing happen to us in the past?” It might be possible to find that, 3 months ago, a device on the network did reach out to that C&C server. Then the DVR tool assembles relevant context so a security analyst can investigate.
A time machine for automated breach detection
SS8 is a vendor in the communications analytics business. For about a decade, the company has been taking packets off networks and extracting intelligence from them to find needles in haystacks. On a global scale, SS8 has traditionally worked with telecommunication companies and law enforcement agencies, and the company says it is now creating a “time machine” for automatically detecting cybersecurity breaches. The idea is to continually analyze what has already happened to predict when a breach could be coming, and to do it without human intervention.
It starts with data collection. SS8 BreachDetect uses lightweight sensors on a customer’s network to extract and summarize information to create high-definition records, or HDRs. The data is critical application-layer and identity intelligence extracted from network packets; for example, this traffic was for a Facebook login, this traffic was a Dropbox download, and so on. The data is summarized with high fidelity and sent to SS8’s cloud, where an analytical engine mines the data by device to look for events that, when taken together, paint a picture of compromise.
SS8 calls this the pattern of life of a device of interest. The approach is one of looking at a device and summarizing its activities and communications and mining this information over a period of time to see if a pattern of compromise emerges. If it does, SS8 sends an alert with explicit information about the nefarious activity surrounding the device. At this point the customer organization is told there is something wrong with the device; there’s no need to gather context so a security analyst can assess whether that’s true or not.
BreachDetect operates on all data automatically. It doesn’t have to be told, “Go look for this exploit or that activity.” It operates fully in the background, with no intervention, to continually look at what’s happening with devices – and more importantly, what has happened in the past – and mine this information for suspicious activity.
Consider this example. Sarah gets an email that appears to have come from her IT department. It says the company has changed to a new spam detection system and she needs to use her email credentials to login and activate the service. She does this, sees a web screen that says she was successful, and goes about her business. Sarah doesn’t know this was a phishing campaign that just stole her credentials and dropped malware on her computer.
A month later, Sarah’s PC communicates with an outside IP address in very low volumes and in hidden ways. Weeks later, Sarah’s computer looks like it is trying to scan the infrastructure. These small activities might cause individual alerts to be raised by a detection system or SIEM, but they could be such low priority that they are considered noise.
In the background, SS8 BreachDetect has collected this activity and repeatedly analyzed it over time. It’s that sequence of three or ten or twenty things that happen over time that raise a red flag. BreachDetect would then send an automated alert to indicate this computer needs significant attention, along with all the details that back up the alert.
In a dashboard, an incident responder can click on the alert to see the pattern of life of Sarah’s computer. It shows the kill chain activities that have been exhibited: reconnaissance, exploitation, command and control, etc. Each stage is fully mapped out and shows a human-readable view of exactly what events occurred, and each of the communication events.
In other cybersecurity tools, each item in the pattern of life would have been a separate alert vying for precious attention. With BreachDetect, all of the items are viewed collectively as one alert to show the imperative of taking action now to remedy the situation before a breach can happen.
SS8 says this is all automatic, and that no security analyst work is required until such time when an alert pops up to urge action on a compromised device. The “time machine” takes historical information and continuously analyzes it and mines it for the presence of malicious activity. This hands-off approach is especially helpful to organizations whose security analysts are already stretched too thin. These days, isn’t that all of them?