Finding a needle in a haystack:The continuous approach to cyber defence

WHITE PAPER

2

Executive Summary

The innumerable different ways and forms in which a potential cyber threat may present itself makes the task of foiling cyber-attackers extremely difficult, and all the more so, given the sheer noise and complexity of today’s computer networks.

How do you find a needle in a haystack, when the haystack is growing incrementally every day? And how do you define the needle? With millions of versions of sophisticated malware circulating, thousands of users accessing data, hundreds of supply chain companies and partners walking in and out of your digital premises every day, knowing what to look for is not obvious.

Indeed, we are faced with the challenge of finding the needle – the first signs of a compromise or a breach – without really knowing how to characterise it. We know it is there, but we don’t know where it is, how it is behaving or what its objective is. This unknowable nature requires a detection approach that is radically different to traditional methods, which may spot behaviours that have been strictly defined in advance, but are incapable of spotting fast-moving, intelligent and human-driven threats.

The old, rules-based security stack has inevitably led many companies to spend far too much time chasing after pre-identified threat vectors, in a continual game of catch-up. No sooner is one vulnerability patched than another one raises its ugly head, and resources are invested in reactive damage control. The reality is that it is nearly impossible to second-guess how a cyber-attack will start and finish, at the more advanced (and most dangerous) end of the threat spectrum, as ongoing cyber-attacks continue to demonstrate.

Our inherent vulnerability to sophisticated attackers today requires a company-wide response, uniting all business units in a continual process of informed investigation and action, based on evolving evidence of the real potential threats that an organisation faces at any one time.

The state of cyber-attacks today requires us to go beyond simply finding the needle in the haystack, and get a grasp on all the unknowable yet ‘strange’ things that are happening beneath the surface of our busy organisations. Companies must consider cyber security as an on-going process of self-evaluation and informed actions - not as a state of perfection to be achieved and maintained.

The threats that exist today to your company’s reputation, financials and operations must be kept in constant check to stop them spiralling out of control and into the headlines. To do this, it is critical to separate out the threats that we can live with, from the ones that have the potential to inflict existential harm. So a real challenge at the heart of our imperative for ‘good cyber security’ is one of discovery – of knowing, ahead of time, about the threats that you are going to really care about.

A continuous approach to cyber security accepts that ongoing cyber threat is an inevitable part of doing business. But it can be managed by continually assessing your digital landscape for emerging risks and taking remedial action when necessary. A constantly vigilant approach is only useful, however, if you have the technology and means to be able to parse the haystack intelligently and at speed. Applying a self-learning methodology to filtering and prioritising the informational leads that exist within each organisation, companies are empowered to find all forms of inconspicuous threats hiding in the haystack – and dealing with them in a way appropriate to their specific environment, before they become a problem.

White Paper

3

Block them… or clean up afterwards

A large part of the security market today is centred around the function of blocking threat from the outset. Anti-virus, firewalls and signature-based tools try to stop the bad guy getting in. The heyday of such preventative solutions has now passed, as cyber-attackers continue to demonstrate their capability of getting round these perimeter controls.

Guarding the perimeter is a necessary and a valid defence against many threats, but it is only the first step in any organisation’s modern security strategy. Most corporate networks are compromised already to some degree, with threats that have sidestepped rule-based controls at the door.

The other major component of traditional defence consists of reacting to a breach or attack, through incident event management. Skilled cyber practitioners with experience of how cyber-attacks work are mobilised in the wake of an attack, and perform high-value investigation work, deconstructing the attack, understanding methods used and sharing their insights with the wider community for threat intelligence feeds and rule updates.

Mind the gap and investigate

Blocking tools and clean-up services are important parts to any security strategy, but a conspicuous gap exists between these two functions of prevention (of infiltration) on the one hand, and reaction (to breaches and attacks) on the other. This gap spans from the point of network infiltration, to the point of data exfiltration or damage done. This critical window of opportunity, where the threat is propagated and does its most high-value work, is a no man’s land in terms of cyber defence.

Our collective failure to detect in-progress attacks is evident. The average time it takes to detect a malicious cyber-crime is 170 days, while attacks involving malicious insiders with access to the network take an average of 259 days to uncover. The planning and execution of cyber-attacks is happening within the network, without anyone being aware until far too late.

Given this deficiency, efforts are now focused on shifting the emphasis from the prevention mechanisms that have failed to live up to all their promises, and onto ‘continuous monitoring’ or ‘situational awareness’.

A constantly evolving environment

There are two moving components that challenge us as information security professionals: the digital environment that we strive to protect, and the threats that jeopardise this goal.

The inside of our organisations are rarely pretty. The modern enterprise must be open to the world, and hyper-connected to customers, supply chain and partners, as well as to their own employees or contractors. The sheer volume of data being passed around amongst these parties and to the outside world has made for extremely noisy and complex environments. Added to this, technology is constantly being revised and replaced, people come and go, and network architectures are in constant flux.

This increasing connectivity has allowed us to be efficient and competitive, but has also made the network a dark and unknowable place for many. The theory of the network architecture is typically undermined by the reality of what is actually going on – a large haystack has been created over time, tweaked and changed by different operators and has become difficult to navigate and easy to get lost in.

Threat actors take advantage of this complexity in order to hide within your systems. Threats are often changing as fast, and often faster, than your own environment, driven by a combination of skilled humans and smart tools. While many lower-level threats may be stopped on entry, the reality is that an ‘advanced threat’ or someone with a degree of knowledge and skill, is able to bypass these perimeter blockers, and infiltrate the network with relative ease.

Such threats with real potential to do damage are constantly adapting themselves – the most sophisticated attackers learn how to navigate your environment, understand where interesting data resides, and tailor their methods accordingly. A human attacker has a whole range of creative tactics at their disposal, and only needs to be lucky once.

A constantly-changing environment coupled with constantly-changing threats has rendered traditional security solutions inefficient. Guarding the gate has not stopped the recent major attacks against large media companies, banks, airlines, retailers etc., instead propelling them directly into rushed and reactive incident event management, and damage control. We cannot find the needle, because we don’t know how to effectively explore the haystack.

4

Ultimately this means acquiring a good understanding of what is going on inside our organisations (not just on the border), in order to assess and prevent specific events or behaviours that may be ‘of concern’ to us. Amongst all that hay, what looks like it might be a needle?

Embracing uncertainty must be central within this goal of gaining visibility and finding abnormalities. Businesses and threats move too fast for us to pre-define beyond doubt what ‘dangerous’ looks like, and abnormality presents itself in a thousand different forms. The key characteristic that we can be fairly sure of is that the so-called ‘threat’ will not be the same as anything else surrounding it. There is a delta of change, however subtle, which makes the behaviour of a would-be attacker stick out as ‘weird’, in contrast to everything else.

Anomaly Spotlight: Advanced Persistent AttackDarktrace detected anomalous behavior on the network of a large mobile network provider, with over tens of thousands of employees and many million subscribers, which indicated a targeted spear-phish attack on the server. This type of compromise is prevalent on servers where the crux of customers’ sensitive data is found, such as resalable information or billing references. Telephone providers hold large numbers of extremely confidential information about location and personal details, so a breach to their systems has the potential to cause major reputational damage and loss of integrity.

The goal of this advanced attack however was arguably more complex than merely acquiring customers’ financial information. The objective would have been to survey specific customers of the mobile phone provider in detail. The hackers were attempting to extract data in a repeatable process in order to track people’s phone calls, the time and place that calls were being made, and possibly even the current location of the mobile device.

Darktrace successfully averted a crisis for this organization by alerting their security analysts of the anomalous behavior before any sensitive information was lost. By catching this threat early, Darktrace ensured that the established reputation and economy of the business remained safe.

Intelligence agencies the world over face a challenge that is comparable in many ways to the cyber security challenge that businesses are today grappling with. Tasked with protecting national security, and concentrating on specific areas of threats deemed to be of greatest importance, an intelligence agency relies entirely on intelligence – strands of information from a variety of difference sources and of differing quality or reliability. This intelligence points them to areas and actions that could be considered ‘strange’ – a crime report, a sighting of someone in an unusual place, an overheard conversation that contains certain terms, or an unexpected purchase of certain chemicals.

These snippets of information, or ‘leads’, are monitored and correlated, allowing agents to piece together a compelling picture that helps them decide where to focus their efforts and dedicate resources. Some snippets will not amount to much on their own, others will combine to provide critical intelligence that feeds a deeper investigation. The process of sifting through and parsing segments of information is a continual process, which is constantly informing and re-informing how their time is spent and where to look.

Digital environments – whether a corporate network or industrial computer system – are similarly full with different snippets of information, which are necessarily of varying degrees of interest to the security officer, depending on his or her business goals and risk appetite. Some leads may be straightforward policy breaches, others are behaviours that could be considered suspicious in some way.

This mass of leads must be looked at and sorted, in order to form patterns and draw conclusions that may in turn inform appropriate courses of actions. Intelligence agencies employ leading cyber analysts to perform this skilled task, people who apply their experience of threat patterns and technical know-how to investigate and determine the strength of differing pieces of intelligence, based on the available evidence.

For companies tasked with the same challenge, employing large teams of skilled cyber analysts is rarely either possible or justifiable. The volume of data and speed of its travel around the network and across the wider internet necessitates technology to do the heavy lifting. New technological advances in cyber security are capable of intelligently making sense of all this information, providing a comprehensible oversight of an organisation’s activities and directly pointing people to where the problem is. This frees people up to focus on taking action appropriate to their specific

White Paper

5

set of circumstances and empowers them to change the course of threats, mitigating risky situations before they need to call in the incident response team.

Automated cyber intelligence

Automation of the filtering process is then therefore indispensable, if we are to understand where to spend our time and how to bring about a meaningful reduction to the risk our enterprises face. Automated Lead Intelligence is the technology process by which individual snippets of information are monitored, correlated and pieced together, to form strong anomalies that require investigation.

A requirement of this process is technology that can see the entirety of your network – down to which machine is talking to which, what files are being accessed by who, how much data is being transferred, etc. – and performs advanced analysis on that data in real time. This smart analysis must be capable of working out the organisation’s ‘pattern of life’ and, critically, revising

its assessment of normality continually, based on the evolving evidence that it sees. This perpetual evaluation cycle allows for the dynamic prioritisation of potential threats, which may escalate or diminish in seriousness dependent on the behaviours manifested.

Self-learning, ‘immune system’ technologies are performing this fundamental function of adaptive, intelligent monitoring of highly-complex data environments. Using advanced machine learning and mathematical techniques, this school of technology is capable of understanding ‘normality’ and surfacing statistically anomalous events that are worthy of an organisation’s investigation.

Knowing if, where and when to take action, and selecting the appropriate level of intervention or surveillance is an age-old problem for intelligence agencies – and will never be a perfect system. But all good decision-making is dependent on good intelligence. By automating lead intelligence, companies are empowered with the visibility of their specific threat landscape that lets them take action against developing anomalies.

6

Interoperability: an integrated security stack

With various different security products readily available, deciphering the marketplace can be a daunting task. At the forefront of a good security procurement strategy must be the effective integration of different components together to deliver a cohesive model of prevention, investigation and response.

Immune system defensive technology fills the widest gap in the security stack today, because it sits at the heart of the organisation, where all the interesting behaviours happen and where small changes to the ‘norm’ can point to the beginning stages of an attack lifecycle. Even the most advanced attackers cannot ultimately hide from the wire – they must move, take action, change something. The Enterprise Immune System picks up immediately on those small deltas of change, amid all the day-to-day noise of the network.

It is critical too that immune system technology is designed to integrate with the full range of other traditional security tools, such as log readers, endpoint security products and anti-virus, allowing the value that these other solutions may deliver to be enhanced. The interoperability of the Enterprise Immune System means that it becomes a central hub of intelligence that complements other parts of the security infrastructure, bringing together all forms of leads to better understand potential threats and help inform security practitioners.

Anomaly Spotlight: Insider Threat Through an oversight in the security lockdown, an employee of a large retail company found that they were able to read all of their colleagues’ emails. Had they immediately reported this mistake, there would not have been a problem. However, Darktrace detected that the employee proceeded to access company emails in the same way from their laptop and read all their CEO’s private messages on two separate occasions. In a surreptitious attempt to remain concealed, the employee then accessed the CEO’s emails on two further occasions from two separate devices.

As a result of the complete network visibility that Darktrace provides, the company were alerted to this anomalous behavior and were able to pin point exactly where the inadvertent breach first took place and each subsequent location, enabling them to identify the employee and take action. In this case, what started as an accidental oversight, turned into an insider exploiting their own organization with the potential to gain and take advantage of sensitive information.

Joining the dots

Effective cyber security is ultimately about good people, technology and process.

Technology is critical to automate lead intelligence, analysing at speed the vast swathes of data that flow through the organisation all the time. It does the heavy lifting, getting through all the noise and distractions of an organisation’s systems and producing actionable intelligence about genuine network anomalies.

Empowered by technology, people can focus on the high-value job of investigating specific events and taking key decisions, based on their unique knowledge of their business environment and risk appetite. This investigative role requires an analytical mind and technical skill set.

Processes must support the goal of preventing intrusions where possible, but also fundamentally enable the perpetual monitoring and reassessment of the inside of the network, as part of an integrated continuous approach.

White Paper

7

Conclusion

As cyber security is now firmly on the company board’s agenda, we have seen its status escalate and begin to affect all business units. ‘Cyber’ is no longer simply an IT issue, but a consideration for all parts of the business that interact with the lifeblood of the organisation – its data.

Boards further recognise that cyber security is not a topic that can be addressed once and for all. Processes must be implemented so the business is continually assessing the threats that it faces, and readjusting its assumptions, in order to proactively address issues as they arise, at any moment.

Recent data breaches that have affected major corporations, across the complete range of industry sectors – from energy to media, transportation to banking, healthcare to legal – demonstrate that investment in traditional, security controls is not sufficient to protect them, because they fail to adapt to an ever-evolving environment. The advanced persistent attacker will always find a way in – not to mention the people that are already on the inside.

Today’s leading enterprises view cyber security as a mainstay in their risk management agendas. In order to convert this attention to a meaningful reduction in risk, companies need to consider whether they have the right technology that can intelligently monitor the organisation’s activity on a continual basis – without disrupting the business or IT functions. Critically, this capability must be sensitive to the most dynamic and wily of attackers – ones that do not come up in any ‘threat intelligence’ feed, ones that breach network borders, ones that bypass endpoint controls.

Threats that you do not know exist must nevertheless be found. This is only possible by moving on from rules, and embracing a continuous and more subtle approach that blends self-learning machine learning with skilled people and good process. Doing this, we give ourselves the best possible advantage in the perpetual battle against the sharp end of the cyber-threat spectrum.

NHS-001r3en Darktrace © Copyright 2015 Darktrace Limited. All rights reserved. Darktrace is a registered trademark of Darktrace Limited. Enterprise Immune System, and Threat Visualizer are unregistered trademarks of Darktrace Limited. Other trademarks included herein are the property of their respective owners.

About Darktrace

Named ‘Best Security Company of the Year’ in the Info Security Products Guide 2015, Darktrace is one of the world’s leading cyber threat defence companies. Its Enterprise Immune System technology detects previously unidentified threats in real time, powered by machine learning and mathematics developed at the University of Cambridge, which analyse the behaviour of every device, user and network within an organisation. Some of the world’s largest corporations rely on Darktrace’s self-learning appliance in sectors including energy and utilities, financial services, telecommunications, healthcare, manufacturing, retail and transportation. The company was founded in 2013 by leading machine learning specialists and government intelligence experts, and is headquartered in Cambridge, UK and Washington D.C., with offices in Dallas, London, Milan, Melbourne, New York, Paris, San Francisco, Singapore and Toronto.

Contact Us

US: +1 (917) 363 0822

Europe: +44 (0) 1223 350 653

Email: info@darktrace.com

www.darktrace.com