Zero-day threat discoveries prompt a flurry of information security activity; but what if the vulnerability has already been exploited within your organization? Gene Stevens examines how organizations can benefit from taking a ‘perfect memory’ approach to network diagnostics.
Imagine your organization uses a common Java framework such as Apache Struts to build and manage website content. A new exploit has emerged, taking advantage of a bug in the plug-in that could allow intruders to infiltrate your network. This new exploit comes six months after hostile actors took advantage of another security hole in Apache Struts — but you, along with everyone else, are only just hearing about it.
You can and will use this information to figure out if you’re affected today. But what if you were affected six months ago, when it first emerged? Is it enough to sit back and hope you were missed? Of course not. You’re aware that attackers are very proactive in developing new threats and exploiting vulnerabilities, but you continually find out about them after the fact.
Perhaps until recently you’ve felt safe and secure because you’ve invested in the latest cybersecurity tools and technologies, and have an experienced in-house or outsourced security team. But even with this in place you still don’t know exactly what happened to your network prior to learning about these new attacks. Did intruders try to infiltrate your network through Apache Struts security holes? And if they did, was the attempt successful or not — or was there even an attempt at all?
Confidently answering questions like these impacts how you and your team are going to spend the rest of your day. Without this level of historical insight, it is impossible to build a complete security posture.
The limitations of logs
The problem is that being able to ‘rewind’ network activity for retrospective forensic analysis of security incidents in the weeks, months, or even years after the events happened, is extremely challenging. This is for two key reasons:
First, log analysis, which is one of the most common techniques used to review security events, comes with its own limitations. For a start, log analysis provides a very finite view into network activity. It can only record what was known at the time, which leaves organizations in the dark. To put it in perspective, you wouldn’t open a bank today without a security camera trained on it, would you? Likewise, in security, we should not be satisfied with logs of activity when what we really need is a high fidelity recording of everything.
Second, this challenge is compounded by the issue of dwell time, i.e. the average length of time a threat actor spends within a target network before being detected. Research suggests that the average intrusion to detection time ranging anywhere from 49 days to 229 days. Irrespective of which statistic is correct, this dwell time is far too long: when your security staff and tools do identify a zero-day attack, it’s not enough to simply stop it in its tracks there and then. You need to be able to go back through time and identify precisely when the attack first penetrated the network, how it has moved laterally, and what network areas it has traversed.
A perfect network memory
Both issues – the limitations of logs and the problem of dwell time – can be eliminated by having a ‘perfect memory’ of your network. Imagine how valuable it would be to be able to go back in time to any date and call up a complete, contextualized recording of everything that happened across your network at that time. From there, you could examine how any attack tried to impact your endpoints and networks, and how, or if, the attack was repelled.
Having a total recall of all communications unlocks the potential for new threat hunting techniques, such as the unique ability to reassess past events, and the ability to go back in time on demand and see everything — security-related or not — surrounding these discoveries.
Such a perfect memory of your network is possible. It is comprised of packets, data extracted from packets and all available context surrounding them. This perfect memory is also unlimited, which is made possible by sending data to the cloud where it can be stored indefinitely and continuously analyzed in an automated manner. With these capabilities, you now have a security posture that can shine a spotlight on what might be hiding in dark corners of your network, past and present.
Think of this as a giant data haystack that is inherently advantaged to being asked new questions, to help you find those needles easily. With corresponding scale and automation, you can manage massive timelines with low cost and effort, and you can extract full-fidelity data and store all of it. The ramifications of a perfect memory for the network — total recall — are security capabilities that were never before possible.
Gene Stevens is co-founder and CTO for ProtectWise. He has more than 20 years’ experience in software development, cloud computing, security-as-a-service, and distributed systems. Prior to founding ProtectWise, Gene was the Founder and CTO at TagLabs, a mobile tagging company. He was a Principal Software Engineer at McAfee, Cloud & Content Security and has also held engineering roles at MX Logic and GDX. Early in his career, Gene developed financial forecasting, market analysis and service capacity planning software for Hewitt Associates (Aon).