Incident Response, Network Security, TDR, Vulnerability Management

RSA 2014: Sharing data key to beating APTs

Highly targeted attacks have become the new norm, and attackers have an advantage over defenders because it's an asymmetric battle in which our opponents have access to tools which they can pull apart and probe to discover weaknesses.

So we go for strength in depth with lots of products, and while it's true that best of breed barrier products stop many attacks, Stephen Trilling of the Symantec Group noted that endpoint products, firewalls, gateway and server protections each maintain their own security logs and don't interact with each other. Each knows what its data is telling it – he added - and can only provide protection in relation to its limited view of the world.

Not only that, companies are often unable to even look at the volumes of data created, nor store it all, and administrators can't keep up with the threat and product developments.

And it's not just the products that are islands, but each company is an island too.

In response to the questions, – 'Why not use security information management?' and 'Why haven't SIEMS solved this problem?' – Trilling answered that unfortunately, “they are only as good as the information that they get, so if the attack is missed, they can't deal with it.”

“SIEMS are also working in a limited time window, minutes or hours – so the SIEM may see nothing during this period, and older data goes into archive and is never looked at again," he said during a discussion at the RSA Conference in San Francisco. "And they only cover one company.”

The other option of having all security products talk to each other and sharing data creates the problem of N products talking to N products equals N squared and a lot of complexity.

Trilling then outlined his alternative view of how the security world might be: Companies would have security managed for them, by a single multi-enterprise entity, achieving economies of scale and visibility across your customer base. The integration will be done for you by the provider, and it would not one time integration, but deep and evolving along with new attacks.  And the company would not be a security island, but form part of community sharing information.  As a result, even the most highly complex attacks would be discovered in hours or even minutes, he suggests.

How to get there?

The need is to unlock value and leverage the results of current tools to be more than the sum of their parts, said Trilling. They would be recording every event seen and not just attacks, and store the material for years – every connection from every machine, log in, executable file, email, all collected whether or not they seemed suspicious, from premises, cloud, mobile and other sources sent to a completely secure off-site database which met global privacy regulation. The intention would not just be to block attacks but also provide a rich source of data to protect from future attacks. This multi-tenant data repository would be able to uncover new targeted attacks that might otherwise be invisible. There would be massive amounts of telemetry data connecting the dots across many thousands of companies, across multiple industries throughout the world.

Such cross-connection would be achieved by automated scripts getting data from many machines across many companies. This system would primarily detect after attack, which is still seen as better than today where many attacks go undiscovered, and the information can be used to protect others.

The aim would be to create a secure elastic big data store with all the data you choose to send, that you can mine and do analytics with including running third party analytic engines over your data.  Social type features could be added within this secure integrated platform enabling organizations to share with peers, policies, intelligence, attack IPs – then you could check all machines in your enterprise that, say,  have connected to a suspicious IP to which you have been alerted.

“We believe this will be the new security reality,” says Trilling.

This story was originally published on

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.