DCN November 2016 - Page 20

security TURNING THE TABLES Kasey Cross of LightCyber explores the limitations of traditional security and looks at different ways to win the war on cybercrime. W ith the fall out growing each day from the massive Yahoo! data breach, most enterprise security professionals should be asking the question, ‘Could an active attacker be in our data centre right now?’ A corollary question would be, ‘How would we even know if an attacker was in our data centre?’ A recent Lloyd’s study showed that over 90 per cent of European companies suffered a data breach at some point over the past five years. As Lloyd’s chief executive officer recently commented in various press accounts, ‘I’m afraid we no longer live in a world where you can prevent breaches taking place, instead it is about how you manage them and what measures you have in place to protect your business and importantly, your customers. As recent events have shown, hard earned reputations can be lost in a flash if you do not have the correct plans in place.’ A new report by Conservative members on the London Assembly estimated that in 2015, in London, 329,515 organisations experienced some form of security breach. 20 Even philanthropic organisations are not exempt from the ravages of cybercrime. In July, the UK debt relief charity Christians Against Poverty was hit by network attackers. Cybercrime is outpacing all other crime in the UK, according to the National Crime Agency. Clearly, most companies are losing the battle of the data breach. The industry average ‘dwell time’ for a network intruder to go undetected is about five months. Five months is an enormous amount of time for a network intruder to orchestrate a complex attack and accomplish all of his or her goals. Therein lies the problem – attacks cannot be stopped because the attackers cannot be detected. Identify and block Traditional security revolves around encountering a threat and then developing ways to identify and block it. The data breach threat demands adding a new approach, one that is based on detecting the operational activities of an attacker as manifested on the network. Our recent Cyber Weapons Report, based on six months of research in the first half of 2016, showed that after the initial intrusion, attackers don’t use malware to conduct reconnaissance or lateral movement, which are instrumental steps in an advanced attack. If traditional security controls can only find malicious software, they won’t be able to catch active attackers or detect post-intrusion activity. When attackers land in a network, they are essentially blind, and chances are they will need to work their way to valuable assets. The most common intrusion involves compromising a user computer or account. From this initial foothold, attackers must survey the network, locating assets – particularly in the data centre – and finding a way to get to them. These activities can stand out against the normal, expected ones from users and devices. While detecting an active attacker is achievable, it is ձ)ѼͼݥѡЁ٥х͡)ѡaݸdͥ)͕́Ѽ)٥̸Q́ɽ͕)٥́́ͽѡѡ)͡ձѥսͱ䁅)ݥѠՙЁѠ ٥)͡ձչѽѕɵ́)ѥ̰չѥ)ѽ䁅ѡȁх((0