Mar 22 2016

Knowns and Unknowns: What it Means to Shift from Prevention to Detection and Response

“We haven’t stopped huge breaches. The focus now is on resilience, with smarter ways to detect attacks and faster ways to respond to them.”  MIT Technology Review, January 2016

There is a lot of talk about shifting the information security posture from a focus on prevention to greater emphasis on detection and response. In a world where you assume everyone is breached, the logical strategy involves rapid identification and containment. It doesn’t mean you stop patching vulnerabilities. It does mean that organizations need new tools, processes and, in many cases, people.

What needs to change for information security to better meet the reality on the ground?  To answer this question, a famous NASA framework can help us rethink what it means to have an emphasis on detection and response and how new analytics approaches can facilitate the transition.

  • Vulnerabilities – Known Knowns
  • Threats – Unknown Unknowns
  • Breaches – Unknown Knowns

Known Knowns – Vulnerabilities

Putting bars on your windows won’t have much effect if you leave the front door open. There are known knowns in the world of cyber threats. These manifest themselves in critical vulnerabilities and exposures (CVE). Often, addressing these risks simply involves patching or reconfiguring existing infrastructure. Other times, the resolution path is highly complex or not well understood. The challenge generally emerges when there are more CVEs than there are resources to address them in a timely manner.

How do you prioritize action so the front door is closed and remains locked? While some findings in the  Verizon Data Breach Investigations Report suggests “that half of the CVEs exploited in 2014 fell within two weeks,” data in the same report indicates that only about 5% of CVEs exploited in 2014 originated in that year. The majority had been around for a long time and some go back to the 1990’s.

Timeliness is only one factor. To deal effectively with known vulnerabilities, information security groups need to orient around the concept of asset value and criticality and then apply other factors such as cost and time to resolve to effectively prioritize patching efforts. IKANOW’s Information Security Analytics (ISA) enables this exact match between asset value, risk, cost and time. The data draws from the enterprise asset database and inputs by managers and analysts. It transforms patch management from a never-ending list of unrelated tasks to a decision support tool enabling better resource allocation. It is important to remember that the toil of prevention doesn’t end with a shift in focus to detection and response.

Unknown Unknowns – Threats

Unknown unknowns are the wild west. It is why we need threat intelligence feeds and original research. Some attack vectors are well understood, but many are creative and not obvious. Signature-based detection still has a role, but the new normal of detection and response requires some different patterns of activity.

First, you need a way to rapidly contextualize threats and their relevance to your organization. Today, that often involves a tremendous amount of skill and brainpower to manually match indicators that may be revealed at any time in the dozens of browser tabs and proprietary applications open on an analyst’s desktop. Many analysts do a great job with this needle-in-a-haystack investigation approach but the 146-day average breach dwell time suggests significant room for improvement. The question is, how can we automate and streamline this process for analysts and shorten the breach dwell time?

The ISA solution includes a correlated search feature that pulls both external and internal information related to a threat into a single screen. There is no more hunting across dozens of tabs where side-by-side manual correlation is so challenging. The search offers summary information and links to the related data for immediate analysis. There are already too many alerts and vulnerabilities for most information security teams to address. The proliferation of threat intelligence feeds can simply add to the noise, inhibiting analysts from focusing on the most relevant and critical risks. IKANOW can rapidly correlate relevant threat intelligence data with internal sources to reduce breach dwell time and filter out the noise.

Unknown Knowns – Breaches

Breaches are the most vexing information security situation today. The proliferation of information security threats has led to a rapid rise in tools to defend against and identify them. A recent CSO article quoted Franklin Witter from SAS as saying, “A typical large enterprise may have deployed over 60 different security products.” We know that the breach indicators are hiding within our existing security tools, but many organizations are not identifying them.

A significant contributor to this problem is that most information security solutions are proprietary and in silos. Many excel at a particular task, but fail to detect small changes that correlate with detected activities in netflow or other data outside of their scope. A solution that can correlate across both internal systems and external threat intelligence feeds is needed to meaningfully reduce the time to breach detection.

This may be the most powerful feature embedded in IKANOW ISA. Because the open source architecture allows easy integration with an unlimited number of data sources and has the ability to analyze hundreds of terabytes of data every second, ISA enables rapid cross-system data correlation to detect breaches that otherwise would go unnoticed. And, it can match the voluminous internal data with external threat feed information to provide not only detection but also deliver the context required to confirm the risk and better understand the scope. The answers don’t replace analysts. The solution gives them a new weapon to combat the rise in breach volume and sophistication. An IKANOW user recently commented that ISA will improve analyst productivity by 50%.

Correlating Across Internal Systems and with External Threat Feeds

The change in information security approaches that recognize the criticality of detection and response capabilities require a new framework and new tools. The concept of known knowns, unknown unknowns, and unknown knowns provides a way to think about how practices need to change for vulnerability prioritization, threat analysis and breach detection.

The rise in data availability and sophistication of attacks is already overwhelming skilled analysts which have become our first line of defense in a world of cyber pirates and pickpockets. They need help and we all need tools to make less-experienced analysts more productive. Big-data analytics is more than a buzzword when it comes to information security. IKANOW is leveraging open-source technologies that are proving effective at rapidly detecting breaches and prioritizing vulnerabilities by correlating data across internal systems and external feeds.

To learn more about IKANOW’s Information Security Analytics solution, click the buttons below to download the white paper on Knowns and Unknowns or request a demo.

Download now Request a Demo

By Chris Morgan

Share Post
Chris Morgan

Cofounder and Chief Technology Officer. Chris Morgan is responsible for technology innovation and delivering high-quality security analytics solutions to clients. He has more than 15 years of experience in research and development, software engineering, software development and product management. Morgan studied management at the Wharton School of Business of the University of Pennsylvania and economics and computer science at Virginia Polytechnic and State University.