Cyber Security Strategy: The Quest for Visibility and Threat Hunting

There’s currently so much emphasis in the cyber security market space on after-the-fact visibility into what bad things just happened. So much energy, time, money, strategy and dialogue about it, writes Scott Scheferman. The trouble is, it comes at a cost. For every moment we spend reacting, tracking down root cause analysis, examining forensics, peering at visibility, offsetting risks, running playbooks and all the rest, we lose a moment to forge ahead.

Some commentators argue that prevention has failed us and, hence, we should retreat into reactive after-the-fact strategy and tooling. How many times must the bells of resilience and acceptable risk ring in our ears? Those concepts serve the business, and they’re most certainly needed for us to message internally to other C-Suite, directors, investors and customers alike, but these are not the concepts that should form the premise of our cyber security strategy as CISOs and SECOPs.

Do we not realise the starkest of outcomes? Even if we were are able to have perfect visibility, perfect forensics, perfect root cause, perfect cyber insurance, perfect human expertise and perfect cloud-based intelligence and visibility, we still wouldn’t solve the one thing that will always overwhelm and outpace those controls.

Visibility after the fact: a losing position

Here we all are. On our heels, drowning in alert data, suffering from analysis paralysis and witnessing the burnout of even the greatest minds we have in our industry.

Here we are as an industry that continues to pour money and investments, time and strategy into a massive security stack that strains SECOPs to the brink. We’re digging ourselves into a hole that we may not be able to dig ourselves back out of if we don’t rapidly shift strategic focus.

Here we are thinking that hunting for threats already running in the environment is somehow proactive, empowering or, worse still, sexy. If you are hunting around in an after-the-fact universe of events, you are not the hunter. You are, by definition, the prey.

Here we are still chatting about breaches because those are easy to tally the per-unit impact for, and subsequently offset via insurance. A 2013 story that we are still wrapping our heads around as if tomorrow’s breaches will be the same low and slow TTPs we fancy we might hunt for and be ahead of… By days? Weeks? Hours, even? Why would tomorrow’s breach need take any longer than today’s destructive worms?

Why would the same threat actors not employ both data theft and destruction into the same campaign? Oh wait, they already have been for the better part of 2019…

The cloud: no place for threat hunting

Here we are, caught up in the Herculean move to the cloud, but are we stopping to assess some of the most fundamentally basic weaknesses it will always have? For all of its virtues, the cloud will always be latent when it comes to addressing run-time threats on traditional IT endpoints. Even all the workloads we are moving to the cloud still have run-time security challenges that can outpace a cloud-to-cloud connection.

The cloud will always be a tethered affair. The cloud will always be on someone else’s steel, upon which there are up to 100 sub-operating systems, half of them Linux, and a large percentage of which have full access to the bus the OS is forced to entrust. The cloud will never be where your users are… the humans you are striving to protect. The cloud is homogeneously strong, and yet homogeneously weak.

Most importantly, the cloud is a temptation. A temptation to build out intelligence platforms. While it will always exceed in this capacity, it can never guarantee that the intelligence needed to make decisions and take actions faster than an adversary will be computed and delivered in time to actually make a difference in stopping today’s automated threats.

The key challenge for all security going forward can be reduced to this: can you make a high enough confidence decision or allow a high enough confidence automated action, fast enough to matter, and without reliance upon a tether to the cloud?

By next year, over 95% of all new vehicles will have autonomous automatic braking. Ask yourself why this is so. Of course, the answer is because machines react faster than humans, never lose attention and never tire. Now consider whether you would buy a car where this life-saving technology was being farmed out to a cloud server rather than being done locally on the machine.

The point is we use the cloud where it makes sense to do so, and not where it doesn’t. Why would anyone think it makes sense to try and beat malware anywhere else but on the machine right where the malware is located? The cloud has an underbelly exposed to many swords, chief among them being the time penalty itself.

Winning on the device

As this industry heads into 2021, let’s make sure we’re lucid in this one critical regard. We know that attacks have entropy, that they devolve into a fog of war, that they expand and that they cause exponential impact to an organisation as every minute, every moment, goes by.

Yet here we still are, heading into the year 2020, and we haven’t solved the single most important challenge of our era: the process-level microsecond run time universe in which the adversary has always had the upper hand. They’ve been ahead of us there, and they’ve enjoyed being so for far too long. The moment an unauthorised process completes tasks in memory is when we lose security control and are on our heels. Never mind zero days. Call this ‘moment zero’, after which the pain begins.

What exasperates the situation even further is that this type of fast-moving threat is now found in both nation state APT campaigns as well as commodity criminal/underground campaigns, making the sheer volume and diversity of the ‘speed’ problem more profound than ever.

An Emotet-weaponised Word document is clicked and, in under three minutes, over 230 file events happen, 12 network connections to nine malicious hosts are made, 46 new malicious processes spin up and 12 files are manipulated. That’s just on the patient zero host… before the same thing begins to play out host after host in the network and before any secondary payloads or actions by a human attacker are commenced.

This is a code-on-code battle being fought in the time domain of seconds and microseconds. Yet we see breach reports like IBM’s 2019 ‘Cost of a Data Breach Report’ exclaim that the average time to identify a breach is 279 days… a far cry from the 171 seconds (22 seconds for Emotet and 149 seconds for its payload) that it takes Emotet to cause a severe impact. The same report offers hope, reminding us that we can save $1.2 million on average simply by containing the breach in under 200 days. Great. It will only cost you $2.7 million at that point!

Scott Scheferman

Scott Scheferman

All of this is orthogonal to the core challenge at hand. We need to be ahead of threats whether we’re talking about ransomware or worm incidents that cost us $75 billion per annum, or we are talking about after-the-fact breaches that cost us another $16 billion per annum, or both.

The age of the slow-moving breach story has come and gone. Now, we must shift our strategies towards the current and future threat landscape and realise that every minute we spend tooling for the after-the-fact past is a minute lost in being ahead of the adversary in ways that actually move the needle.

In our quest to become merely ‘resilient’, we’ve exhausted the traditional means of risk offset, hindsight due diligence and after-the-fact busyness. We’re all collectively at the ultimate precipice. It’s time to leap off and do so out of sheer necessity because we cannot look forward and prepare properly if we’re constantly steeped in the past.

Scott Scheferman is Principal Security Technologist at SentinelOne

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts