When you are facing a human adversary who is actively working to circumvent your protections, the value of static defenses drops. On the flip-side, the value generated by the talent and dedication of your security operations team is increased.
For those organizations facing a dog-fight against a human adversary instead of random, drive-by attacks, the rules and tools necessary to address that challenge have changed dramatically. Now, more than at any time in the past, success in defense is determined by the quality of the defenders. The list of skills necessary is substantial and most certainly must include reverse engineering, malware analysis, network engineering, protocol decoding, scripting and coding. Beyond possessing the necessary skill sets, the people you hire also must possess a sense of drive, as well as the right attitude.The next step, once an organization has assembled its team of crack information security professionals, is to invest in the tools necessary to enable your team to perform their individual jobs. This is where vendor selection becomes critical. You need a partner that is invested in helping ensure that your enterprise environment is protected. A lack of agility in your toolset will hamper and frustrate your pack of security ninjas.
Unfortunately, agility isn't one of the things typically listed on vendor brochures.When I talk about agility, I'm talking about the ability to rapidly modify the defensive stance of your organization as threat and attack data comes in. Much of this flexibility will be determined by your vendor. You need to ask: How often do they update software, signatures and rules?But that isn't the end of the check for agility. Perhaps the most significant question to ask is this: Can this device do what my team needs it to do? In order to achieve this goal, it will be necessary to ensure that the solution has the ability to write custom detection. It is also necessary to look for an application programming interface (API) so that you can integrate the tool with your existing architecture. Further, look at how much access you have to the internals of the box. You never know what you may need to do to protect your network.
The key here is to understand the value of rapid, low impact development of defense methodologies. This capability allows you and your team to define a defensive stance, as opposed to having it dictated to you by vendors. As an example, one organization I've worked with was able to increase their detection rate by looking for certain indicators in the metadata of the files used by attackers. Since the ability to identify metadata entries is useful only to a subset of organizations, vendors would never offer this capability. But, because this organization had invested in intelligence and defense development, they were able to stave off attacks for months.The defensive game is hard, and there is nothing that we're seeing on the horizon that indicates anything is going to get easier. The game is changing for many of you, and traditional, static defenses based on closed, black-box solutions are no longer sufficient. You and your team need to be more skilled, and vendors need to ensure that they support your ability to develop customized and innovative solutions. If your vendor gets in your way, then maybe it is time to go looking for a partner instead of just a vendor.
Matthew Olney is a research engineer on the vulnerability research team at Sourcefire.