RSA President Confirms The Need To Move Out Of The Cyber Security Dark Ages In Keynote Speech – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften Technologies


A 5 Point Plan For A New Security Approach Proposed By Amit Yoran

Amit Yoran’s, RSA President provided an outstanding keynote speech at the RSA Conference which reinforced the Ziften strategy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to supply robust defenses in a new era of sophisticated cyber attacks. Current organization security strategy was slammed as being bogged down in the Dark Ages of cyber moats and castle walls by Yoran, it was described as an “impressive fail”, and he outlined his vision for the future with five main points, and commentary from Ziften’s perspective has been included.

Stop Believing That Even Advanced Protections Suffice

” No matter how high or wise the walls, focused enemies will find methods over, under, around, and through.”

A lot of the previous, more sophisticated attacks did not utilize malware as the primary technique. Conventional endpoint antivirus, firewalls and traditional IPS were slammed by Yoran as examples of the Dark Ages. He stated that these legacy defenses could be quickly scaled by experienced hackers and that they were mostly ineffective. A signature based anti-virus system can only protect against formerly seen threats, but unseen risks are the most threatening to a company (since they are the most typical targeted attacks). Targeted cyber bad guys use malware just 50% of the time, maybe only briefly, at the start of the attack. The attack artifacts are easily changed and not utilized again in targeted campaigns. The build-up of transient indicators of compromise and malware signatures in the billions in huge anti-viruses signature databases is a meaningless defensive technique.

Adopt a Deep and Pervasive Level of Real Visibility Everywhere – from the Endpoint to the Cloud

“We need prevalent and real visibility into our enterprise environments. You just cannot do security today without the visibility of both constant full packet capture and endpoint compromise evaluation visibility.”

This implies continuous endpoint monitoring throughout the enterprise endpoint population for generic indicators of compromise (not stale attack artifacts) that reflect classic techniques, not fleeting hex string happenstance. And any company implementing constant complete packet capture (comparatively expensive) can quickly afford endpoint threat assessment visibility (relatively economical). The logging and auditing of endpoint process activity provides a wealth of security insight utilizing just elementary analytics methods. A targeted hacker relies on the relative opacity of endpoint user and system activity to cloak and conceal any attacks – while real visibility supplies a bright light.

Identity and Authentication Matter More than Ever

” In a world with no border and with less security anchor points, identity and authentication matter even more … At some point in [any effective attack] campaign, the abuse of identity is a stepping stone the enemies use to impose their will.”

The use of stronger authentication fine, but it only produces higher walls that are still not impenetrable. Exactly what the hacker does when they overcome the wall is the most essential thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for indicators of irregular user activity (insider attack or prospective compromised credentials). Any activity that is observed that is different from regular patterns is possibly suspicious. One departure from normality does not make a case, but security analytics that triangulates several normality departures concentrates security attention on the highest danger abnormalities for triage.

External Risk Intelligence Is A Core Capability

” There are incredible sources for the best threat intelligence … [which] should be machine-readable and automated for increased speed and leverage. It should be operationalized into your security program and tailored to your organization’s assets and interests so that analysts can rapidly resolve the threats that pose the most risk.”

A lot of targeted attacks typically do not utilize readily signatured artifacts again or recycle network addresses and C2 domains, but there is still worth in threat intelligence feeds that aggregate prompt discoveries from millions of endpoint and network threat sensors. Here at Ziften we integrate third party risk feeds by means of the Ziften Knowledge Cloud, plus the direct exposure of Ziften discoveries into SIEM and other business security and operations infrastructure via our Open Visibility ™ architecture. With the evolving of more machine-readable risk intelligence (MRTI) feeds, this capability will efficiently grow.

Understand Exactly what Matters Most To Your Company And Exactly what Is Mission Critical

” You need to comprehend exactly what matters to your company and exactly what is mission critical. You have to … safeguard what is very important and protect it with everything you have.”

This holds true for threat driven analytics and instrumentation that focuses security attention and effort on areas of greatest enterprise threat exposure. Yoran advocates that asset worth prioritization is only one side of business threat analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security personnel attention on the most prominent dynamic risks (for example by filtering, associating and scoring SIEM alert streams for security triage) need to be well-grounded in all sides of enterprise risk analysis.

At Ziften we commend Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security market progresses beyond the present Dark Ages of facile targeted attacks and established exploitations.