However, if it weren't for an outside agency alerting that company to the problem, its network could have been owned indefinitely. Indeed, according to a Ponemon survey of 3,529 IT/security professionals, the average time it takes to detect an advanced attack in the network is 80 days, and another 123 days to resolve the compromise.
In other words, knowing there's a problem in order to launch a discovery investigation is still the 800-pound gorilla in the room, calling for highly specialized skillsets to know where to look for signs of trouble in approved operations and traffic.
It is equally important to determine the value of internal systems and data to understand the motivation of the attacker, says Rick Holland, senior analyst with Forrester, a New York-based global research and advisory firm. Thinking like the bad guys will help organizations understand how advanced attackers will try and penetrate systems, what data they'd like to siphon out, and where they may attempt to hide.
“Ideally, organizations should be able to plug in tactics, techniques and procedures of the bad guys, and search their environment for these indicators,” Holland says. “This should be as easy as reaching out for a menu option of threat intelligence shared securely among peers.”
These details should cross the boundaries between physical and technical operations, adds Powell.
Share the knowledge
The exchange of attack information among peer organizations is key, says the CISO of a large high-tech information security company and a member of the Bay Area CSO Council, based in Los Gatos, Calif. The CISO asked not to be identified for this article.
Participation is small at the CSO Council – limited to 30 – but those members are powerful in the software community. “Members of the CSO Council share these attack intelligence signatures internally so we can see if we've been compromised collectively or independently,” he says. “We need data that can point to what the signs were and what the objective of the attack is.”
Members of the council have the deep resources to gather attack information and create their own intelligence profiles, build filters for their systems, hire forensic experts to investigate potential events and follow through with remediation.
However, Mike Cloppert, security intelligence analyst for Lockheed Martin, the Bethesda, Md.-based defense contractor, says small and midsize organizations are not so well staffed, nor could they afford to be. These will be the first organizations to demand automation of threat intelligence information. Forensic services vendors, for example, are beginning to package their collective knowledge as “security intelligence.”
And, applying intelligence to data analysis is critical in a world where attackers are outsmarting layers of security, says Sean Bodmer, chief researcher of CounterTack, a Waltham, Mass.-based security intelligence firm.
“If you can't look at the data from the right perspective at the right moment, then what you're left with is a bunch of detection information going into a SIEM bullpen for someone to go search it,” Bodmer says. “That is the detection gap right there.”