TDR

Threat-centric security: Before, during and after an attack

February 22, 2013

In today's world of persistent malware and targeted attacks, we see the bad guys continue to innovate, using new attack vectors and advanced means to infiltrate networks.

Given that there is no security “silver bullet,” we face the unfortunate reality that malware evades existing protection methods to make its way onto networks and often hides unnoticed for extensive periods. So what happens once you've identified a malware infection? How can you glean enough information to mitigate the impact of a breach? How can you reduce the likelihood of reinfection?

To answer these questions, we must accept the sophistication of the existing malware landscape and take a threat-centric approach to security that employs defenses that address the full attack continuum – before, during and after an attack.

Before an attack, you need to know what must be protected. Put plainly, you can't protect what you can't see. This means knowing what users are on and off the network and what devices, services, operating systems and applications are running, while identifying potential vulnerabilities. Prior to attacks is when an organization should implement granular access control over applications and users. This reduces the attack surface and defines the rules of engagement for the attacker. Preparation prior to an attack, often centered around layered technologies like the firewall and anti-virus, is no longer enough.

During an attack, you have already configured firewalls, tuned IPSes and implemented anti-malware solutions, but malicious activity or malware nonetheless gets through. These relentless attacks require the best threat detection possible, as it goes without saying that you can only block malicious activity once it has been detected. The challenge with traditional security technologies is that they operate at a point in time. If the malware is not initially detected, that decision cannot be revisited at a future time. Advanced attacks demand continuous security as malware is deceptive and can evade a single point in time scan that is initiated prior to or during attacks. Once malware has evaded detection, without the right technology, it becomes firmly entrenched and is difficult to locate, let alone eradicate. Lastly, security in this part of the attack continuum must continuously update itself based on evolving threat intelligence to allow the highest rate of detection.

After an attack has occurred and malware has been detected on the network, determining the scope and containing the impact of an attack and remediating become the end game. This means we must take advantage of technologies that provide full visibility, from the network down to individual endpoints, to determine the scope of the infection to immediately understand what systems have been infected, how the malware got in and who was first infected. 

As a complete picture of the outbreak across the network is created, the outbreak must be contained to arrest its spread. To then speed the remediation process, continuous malware analysis functionality should be utilized to retrospectively locate files now known as malicious and quarantine them, even if they had previously been deemed safe.

So, you've been hit. Malware has made its way onto your network, and you need to find it, get rid of it and prevent it from coming back. There is no silver bullet. But there is the capability to address using advanced technologies that are integrated and work together. When defending, start with the threat. Only a threat-centric approach to security will address the full attack continuum – before, during and after.
prestitial ad