Threat Management, Threat Intelligence, Network Security

Collection of information key to thwarting APT attacks

Intelligence-driven information security, not just firewalls, anti-virus software and analysis of log files, are the future of battling advanced persistent threats, according to a new report from the Security for Business Innovation Council (SBIC). The study was sponsored by EMC Corp.'s security division RSA.

The council, made up of 16 executives from Global 1000 companies, said most companies do not have enough information about advanced threats, and need a new approach to defend their networks and confidential data.

SBIC recommends several components for intelligence-driven information security. First, it is imperative to consistently collect reliable cyber security data from a range of government, industry, commercial and internal sources to gain a more complete understanding of risks and exposures. Too, companies must perform ongoing research on prospective cyber adversaries to develop knowledge of attack motivations, favored techniques and known activities. Also, new skills must be developed within the information team focused on the production of intelligence. Further, full visibility must be achieved into actual conditions within IT environments, including insight that can identify normal versus abnormal system and end-user behavior.

Also important, the report said to develop actionable intelligence a process for efficient analysis, fusion and management of cyber security data from multiple sources must be implemented. As well, enterprises must share useful threat information, such as attack indicators, with other organizations.

Networks are no longer safe if a company takes the egg-shell approach of simply using perimeter-centric hardware devices, anti-virus and anti-malware software and other approaches to keep intruders out, said William Boni, vice president and chief information security officer at T-Mobile USA. He acknowledges that security professionals have been recommending the intelligence-driven approach for some time, but says many companies have been slow in adopting the approach.

The conventional wisdom of defending networks is no longer applicable, Boni said. Building a security profile based on checking boxes to meet compliance regulations will not keep intruders out.

“Security is not built on compliance,” he said. Nor will trying to build a wall around the entire network. Boni said the advice of Fredrick II, one of the most powerful Holy Roman Emperors of the Middle Ages, is as true now as it was during his time: “He who tries to defend everything defends nothing.”

An intelligence-driven methodology that takes massive amounts of information and derives actionable data might seem like standard operating procedure for enterprises with large data stores, but it is not, added Art Coviello, executive chairman of RSA. While security experts at large companies recommend an intelligence-based approach, Coviello said it can be a difficult sell to corporate boards focusing on return-on-investment and short-term gains.

Coviello is a strong proponent for information sharing about breaches, a topic that some companies avoid for competitive reasons. However, that recommendation in the SBIC report could represent a turning point between recognizing advanced persistent threats and attacks of convenience.

“Just talking about information sharing [but not actually doing it] is like talking about the weather,” he said. “It's a cliché for security failure.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.