Malware that would enable attackers to breach Federal networks may already be on the country’s critical infrastructure, just waiting for the right moment to access sensitive data, or do damage to major systems. That was the theme of a report I was reading yesterday. With millions of dollars spent every year on information security, you might be asking: why hasn’t it been detected and dealt with yet? It’s a valid question.
The answer lies in the way that most information security tools work. The key is that the majority of large networks – both federal and commercial – deploy security technologies such as IDS, SIEM and other designed to spot specific events on hosts or networks, rather than anomalies to detect changes in system state or configuration. They’re designed to spot a DDOS attack, for example, or the penetration of the network at the perimeter – events that have all the hallmarks of an attack. These security technologies identify abnormal events as potential attacks (or other security-related issues) and take a pre-defined action – triggering an alert, or quarantining a file, for example.
The majority of information security technologies deployed in large networks, however, aren’t prepared for complex, multifaceted attacks – or sophisticated ones that aren’t identifiable through either pre-defined signatures, or administrator-created rules and alerts that look for “known entities”. These traditional point security tool won’t be able to identify, for example, that there is a connection between multiple failed logins on an account that has access to a critical system and – for example – configuration changes on a different system, abnormally high volumes of network traffic on a device containing sensitive data (such as HIPAA or PCI systems), or anomalous network traffic that isn’t necessarily breaking policy, but is still not normal (such as using ephemeral TCP or UDP ports).
If the reports are true – and something is already on Federal networks – then what’s required to detect these threats is not a new system, but the next evolutionary step in information security. It is, perhaps, this that is the toughest challenge all organizations face in protecting themselves against the new breed of threats that will attack each and every organization out there… regardless of whether they’re prepared for it or not.
The Situational Room by eIQnetworks 
Sitting ducks?
Malware that would enable attackers to breach Federal networks may already be on the country’s critical infrastructure, just waiting for the right moment to access sensitive data, or do damage to major systems. That was the theme of a report I was reading yesterday. With millions of dollars spent every year on information security, you might be asking: why hasn’t it been detected and dealt with yet? It’s a valid question.
The answer lies in the way that most information security tools work. The key is that the majority of large networks – both federal and commercial – deploy security technologies such as IDS, SIEM and other designed to spot specific events on hosts or networks, rather than anomalies to detect changes in system state or configuration. They’re designed to spot a DDOS attack, for example, or the penetration of the network at the perimeter – events that have all the hallmarks of an attack. These security technologies identify abnormal events as potential attacks (or other security-related issues) and take a pre-defined action – triggering an alert, or quarantining a file, for example.
The majority of information security technologies deployed in large networks, however, aren’t prepared for complex, multifaceted attacks – or sophisticated ones that aren’t identifiable through either pre-defined signatures, or administrator-created rules and alerts that look for “known entities”. These traditional point security tool won’t be able to identify, for example, that there is a connection between multiple failed logins on an account that has access to a critical system and – for example – configuration changes on a different system, abnormally high volumes of network traffic on a device containing sensitive data (such as HIPAA or PCI systems), or anomalous network traffic that isn’t necessarily breaking policy, but is still not normal (such as using ephemeral TCP or UDP ports).
If the reports are true – and something is already on Federal networks – then what’s required to detect these threats is not a new system, but the next evolutionary step in information security. It is, perhaps, this that is the toughest challenge all organizations face in protecting themselves against the new breed of threats that will attack each and every organization out there… regardless of whether they’re prepared for it or not.
Share this:
Related