Industry Trends

Using Context to Predict the Future

By Ladi Adefala and Bill McGee | June 27, 2016

The vast majority of security strategies are reactive. The goal is to close the gap between the time to compromise and time to discover. According to the 2016 DBIR report, this compromise time is minutes for a majority (over 80%) of breaches. Solving this problem is complicated because threats are always changing. They have increased in frequency and volume, and they are becoming increasingly sophisticated.

This is due, in part, to the dramatic expansion of the available attack surface that cybercriminals can target. Networks are adding end user devices, virtualized network devices, and IoT devices at an unprecedented rate. And because users are converging their work and personal lives on their various devices, more traffic from social media and online transactions cross our networks as well. And highly mobile workers, dynamic virtualization, and on-demand cloud services have eroded the traditional network perimeter.

In short, cyberdefenders are overwhelmed with the volume and variety of information they need to process and analyze in order to detect and respond to threats.

Increasingly, security professionals are using contextual threat information to help them sort through the volumes of data they have to analyze in order to find the critical intelligence they need to defend themselves. Context takes data and analyzes it through a lens of who, what, when, where, how, and most importantly, why. It answers questions like:

  • Where did this data come from?
  • Where is it going?
  • Who does this device belong to?
  • What policies should be applied to traffic coming from or going to a particular server?
  • Is this connection originating from inside or outside of the network?
  • Why is this recurring request coming in at three in the afternoon or three in the morning?

There are several distinct values of using threat context to detect or solve a threat challenge.

First, context helps you sift through the noise created by volumes of data. Most of the data passing into or through your network is irrelevant from a security perspective. But many advanced threats are designed to hide inside that noise by looking like legitimate traffic. Context helps you see things like devices suddenly collecting files or sweeping the network. If a digital camera suddenly starts requesting or receiving data, rather than just transmitting it, you can be pretty sure that you have a problem.

Next, by increasing the signal to noise ratio you can more effectively prioritize your efforts to minimize the impact of a threat. For example, if you detect a threat, but it is targeting a non-critical asset,, it needs to be watched, but it can be deprioritized, especially when a different threat is targeting a high-value asset. That event can be automatically prioritized for a coordinated response.

The goal is to reduce risk to the organization by either preventing a breach, or by limiting the impact of a breach through early detection. This may mean the difference between your organization losing a few hundred data records or a million.

Once threat patterns emerge, you can also use context to predict threats. One way to anticipate that a threat is likely to come from particular source, or that a particular resource is likely to be targeted, is to look for threat intelligence and context patterns.

In simple terms, if every last Thursday of the month for six years you have gotten a threat report that a particular source is targeting your email server or SQL database, you can confidently anticipate that this will happen the last Thursday of this month as well.
Of course, few threats are quite that obvious. But patterns are there. Regular bursts of data from a virtual machine to a server with an external connection, or a device that repeatedly connects to the same set of servers in another country can help you predict that this is going to happen again. Maybe you have a local user who regularly connects to the network after hours from a remote location, or you can see a series of low-level probes hitting external devices in the numerical order of your IP addresses. This can tell you that an attack is ramping up or is underway. But to accurately predict what’s going to happen next, you need to be able to see across the threat information.

So, why do people keep missing this? There are three reasons why organizations with security in place cannot accurately see or predict threats.

1. They don’t have the capability to process threat intelligence. For threat context to be used effectively, people, processes, and technology need to work in tandem to sift through the noise and identify patterns.

2. Many times, those with the capability to see and respond to threat intelligence are deploying them elsewhere. They are focused on the wrong priorities, or their focus is too narrow. For example, they have all of their resources tied up in protecting the perimeter, but they are not monitoring internal traffic that moves laterally across the network.

3. And in far too many cases, organizations just aren’t doing what they should be doing. There are a lot of reasons for this. Pride allows a security engineer to make the same mistake over and over again because he won’t bring in a fresh set of eyes to look at his solution. Some organizations take the position that rather than spend the money, they will cross their fingers and hope that an attack will happen to someone else. And a lot of times, doing it right seems to be just too hard. ,And then inertia sets in.

Securing a network is easier said than done. It’s a lot like losing weight. We all know what we need to do, and it’s not really that complicated. Ultimately, to lose weight, you need to burn more calories than you consume. But we just don’t do it, for a lot of reasons. Or we look for shortcuts.

Sometimes it takes a critical event to serve as a catalyst. A lot of people don’t get serious about developing a healthy lifestyle until after bypass surgery. And too many organizations don’t implement an effective security strategy that allows them to predict and respond to threats until after a serious breach. Unfortunately, not everyone survives these sorts of events. The best way to start is take your first step.