Given the ease with which today’s advanced cyber threats penetrate traditional rules-based or perimeter solutions, building cyber defenses entirely on them seems closely akin to fighting a medieval joust with paper shields.
These rigid defenses (often rule-based) are ineffective against the coordinated intelligent attacks of criminal hackers and state-sponsored threat actors because each human-driven action can be unique, is often unpredictable, and can find ways to circumvent defenses. The most common is to gain trusted access to the environment through attacks such as phishing.
This has been evident in the high-profile data breaches every year. A recent attack on the US Office of Personnel Management (OPM), a government agency that manages public servants, resulted in hackers stealing personal data of 21.5 million current and former federal employees and government contractors.
The intrusion, which US officials reportedly linked to state-sponsored threat actors, was discovered in April but attackers had been in the OPM databases for months, according to computer forensics experts.
The OPM attack highlighted the need to increase effectiveness of defenses – in two ways, increase the detection capabilities and increase response capabilities. If organizations set up traditional defenses in anticipation of breaches being a question of ‘when’ not ‘if’, then the key is to detect and respond to malicious activity before cyber-criminals steal data using technologies that can increase visibility to detect and spot intruders in all stages of their threat activities. This is a fresh perspective to preventing criminals from penetrating and exploiting systems.
What security professionals need is a solution that equips them to fight back adaptively and dynamically. Last year, “far too many organizations were unprepared for the inevitable breach, allowing attackers to linger far too long in compromised environments”, according to the Mandiant 2015 M-Trends report.
Indeed, malicious actors spent a median of six months within breached systems before detection. Even so, Mandiant’s study found that a majority of the breached companies only discovered they’ve been hacked through a third party, such as a supplier, customer or law enforcement agency.
And attackers continue to be elusive, constantly changing tactics to evade security teams’ new defenses. Intruders have used clever new techniques to steal credentials and infiltrate compromised environments.
“I see it as differing time scales between attack and response,” Mark Graff, previously NASDAQ’s chief information security officer (CISO), told delegates at Splunk’s .conf user conference last year. “It’s possible to spend minutes or hours to build a very strong attack and yet the defenders can take months to build a defense to a given attack. There’s a second timescale problem. Attacks can come and penetrate our network in milliseconds and yet, it may take minutes, hours or days to figure out what’s going on from a defender’s point of view.”
Whack the mole
NASDAQ, a global financial technology, trading and information services provider, used tools from Splunk to help protect it’s information from the hundreds of attacks it faces such as it did with the Heartbleed & Shellshock attacks.
Fundamental to its defense is the Splunk security dashboard the company quickly built on the same day Heartbleed became public. The dashboard allowed NASDAQ to “track the race we were engaging with the bad guys trying to break in,” said Graff. “We wanted to fix [the vulnerability] as fast as we possibly could by applying the patch. We also wanted to track [anybody coming after] to exploit the vulnerability. And if we could see somebody doing that, we wanted to know whether the system they’re gunning for is vulnerable or already patched.”
Since first implementing Splunk as an IT tool to monitor and analyze its machine data, Nasdaq has expanded the use of the platform for security information and event management (SIEM), security analytics and integrated network monitoring to secure and improve its operations.
Race to patch
Splunk has been positioned as a leader in Gartner’s SIEM Magic Quadrant three years in a row. The industry accolades dovetail with the growing number of organizations using Splunk security analytics to augment, replace and surpass their legacy SIEM deployments. These organizations are harnessing the broad security intelligence from data collected across IT, the business and the cloud to improve detection, response and recovery from advanced threats.
“Splunk is growing well beyond the SIEM market rate, as an increasing number of companies recognize the value of taking an analytics-driven approach to security with Splunk as the nerve center,” says Haiyan Song, senior vice president of Security Markets at Splunk. “And with our recent acquisition of Caspida, we are adding machine learning-based user behavioral analytics and extending our analytics-enabled SIEM to better detect advanced and insider threats.”
The greatest unmet need, as Gartner principal research analyst Kelly Kavanagh and research director Oliver Rochford point out, is “effective targeted attack and breach detection. Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization. The situation can be improved with stronger threat intelligence, the addition of behavior profiling and better analytics.”
To that end, organizations must be able to mine and sift through massive amounts of network data, authentication data, application data, logs and more to fully use the information in a variety of security indicators, such as notable events, risk scoring, visual correlation, anomaly spotting, to name a few, to close the root cause of the breach quickly.
The ability to have immediate access to all data – see everything, find relationships, search and pivot dynamically on threats with a quick way to customize dashboards and views for unique attacks is akin to upgrading security professionals with modern shields against cyber intrusions.
Like NASDAQ, many organizations around the world are using the Splunk platform as the brains behind their next-generation security operations center. They are creating analytics to help detect both known and unknown advanced threats.
It is also particularly telling when a major content and network security software vendor like Symantec selects Splunk Enterprise to help bolster its security intelligence operations.
Symantec is using Splunk software to centralize, monitor and analyze security-related data, and ensure compliance with Sarbanes-Oxley and the Payment Card Industry Data Security Standard. With today’s threat landscape, the company needed to react quickly to identify and respond to any type of threat, especially advanced threats that continue to increase in complexity.
The breach late last year at a major entertainment studio, which compromised the personal information of tens of millions of customers and employees, highlight the serious consequences of not treating cyber warfare seriously. How can an organization be sure that it won’t be the next victim of a similar attack?
Today’s attackers target security lapses such as leaving computers logged in; advanced malware to bring down its computer networks; and the lack of an incident response plan, among other weaknesses. Many organizations have not been vigorous enough in protecting intellectual property; are still relying on inadequate ‘paper-shield’ defense infrastructure; and lack access to critical data that offer accurate and real-time threat visibility to support a proper incident response.
Perimeter- and rules-based solutions may be the first line of defense, but smart CISOs know that they are really in an intense race to protect their systems before attackers can exploit any compromise or vulnerability.
For these reasons, information security professionals are increasingly turning to Splunk as a platform for analytics-driven security to quickly identify anomalies and threats, do deep forensic investigation into terabytes of data, trace back attacks to the root cause and defend against malicious attacks with a modern “all information on deck” analytics-driven approach.
This is a QuestexAsia feature commissioned by Splunk.