"We cannot control our adversary," says Rick McElroy, Security Strategist for CarbonBlack, a leading next-generation cybersecurity firm. "Although we can choose to control them once in our environment. We have little to no control over when the “big attack” happens. For too long I think we have focused so hard on finding the adversary that our internal threat intelligence has suffered as a result". Sharing threat intelligence has gotten easier. Vendors have done a ton to allow teams to cultivate and exchange threat intel and while there is always more work we have abandoned the one thing we have a hope of controlling. The home field advantage."
Editor Note: CarbonBlack is offering a free webinar on why companies are moving toward next-generation security here:
McElroy adds, "I have heard major CISOs sit in a room and say “asset management is impossible, so why try?” How is this what a leader would say? Yes, this thing we do isn’t easy but giving up is a sure fire way to never achieve a strategic goal."
"It’s time we bring this to all defenders, not just customers of a certain organization. Carbon Black is on a mission to make the world safe from cyber attacks. To achieve this mission, we need every one of us sharing and helping quiet the noise. We need application developers and threat hunters on the same page. We need to unite as a community."
One of the things I've had to work on the most as an #infosec leader is patience.
Strategy and culture change take a long time. Don't get frustrated on the journey. Be patient.
Thoughts on the long game and being patient to achieve strategy... I would love to hear them.. pic.twitter.com/XHXgYJOC3w
— Rick McElroy (@InfoSecRick) August 29, 2018
Traditional AV is Falling Short
Just about every enterprise company is feverishly working on implementing next-generation solutions to protect against internet threats. The primary reason is that traditional AV software is no longer effective enough:
First, let’s look at why traditional AV is falling short against the cyber-attacks organizations face today. Traditional AV technologies still rely on a signature-based approach that can only identify known threats. Attackers can run circles around this approach by making small tweaks to their malware in between signature updates; this allows them to operate with impunity while organizations scramble to deploy new updates.
In short, traditional AV leaves organizations one step behind the attacker. Making matters worse, a signature-based approach cannot detect modern attacks that do not write files to disk (so-called file-less attacks) or techniques that use trusted system tools like PowerShell to perform malicious actions. In order to combat the shortcomings of traditional AV, organizations must ensure that they have AV technology that takes a proactive approach to cybersecurity. - Dan Larson, Vice President Product Marketing at CrowdStrike via Security Ledger.
The Security Fight Has Escalated
"Nearly 20 years ago, viruses such as the Melissa virus and Love Bug worm were causing millions of dollars’ worth of damage, hijacking email servers, corrupting corporate and government documents, and forcing systems to shut down," stated Martin Borrett, IBM Distinguished Engineer and CTO IBM Security Europe. "Today, cybercrime is a global plague that will cost the world economy $6 trillion annually by 2021, according to Cybersecurity Ventures."
Borrett added, "As cybercriminals, nation-state attackers and hacktivist groups have become more sophisticated, the security industry has grown up to defend our national security as well as the vital interests of businesses and consumers. Gradually, the battle between attackers and defenders has become something akin to an arms race: New types of attacks lead to new defenses to block them. Security innovations become outdated as soon as attackers find ways around them. Meanwhile, cyberattackers continue to rely on social engineering tricks that are hard to defend against."
New Cybersecurity Approaches Are Clearly Needed
For modern cybersecurity operations to be effective, it’s necessary for organizations to monitor diverse data streams to identify strong activity signals. This includes monitoring network traffic data to find well-known patterns of common adversary activities, such as data exfiltration or beaconing. While these detection techniques are critical to cybersecurity operations, it is imperative to leverage such signals to predict future activities. Further capabilities could even be created to modify the behavior of the actor (or analyst) to the benefit of the organization and mission. This could include systems on networks that are trained to autonomously take action, such as blocking access to resources or redirecting traffic, based on a predicted behavior.
Modern attackers are too agile and creative for organizations to rely on passive descriptive analytics or reactive diagnostics techniques for protection. Rather, building an ability to forecast future outcomes through predictive analytics that utilize prior knowledge of events, particularly the precursor signals evident before an attack, are proactive measures. - Dr. Kirk Borne via a recent post on O'Reilly Media.