During a speech in June 2012, Jonathan Evans, the chief of the UK’s home security agency MI5, stated that it was “fighting 'astonishing' levels of cyber-attacks”. The worry is not just about the number, but the sophistication and the degree of targeting of individual people and organisations. This is making it harder and harder to detect and stop such attacks with conventional cybersecurity defences.
As a consequence, many are evaluating advanced tools that supplement point security products such as anti-virus, firewalls and intrusion prevention systems (IPS). This includes deploying what some are calling advanced security intelligence (ASI). ASI is the ability to look at a wide range of information sources in real time and spot that something anomalous is going on; this could be an attack or dangerous or undesirable user behaviour, another risk that needs to be mitigated.
ASI builds on existing technology such as log management and SIEM (security information and event management) tools. The vendors involved, which include LogRhythm, IBM (via its Q1 Labs acquisition) and McAfee (via its Nitro Security acquisition), are souping their products up, in particular their SIEM tools to provide ASI capabilities. Some are using the term NG-SIEM (next generation SIEM).
Here are some examples of where ASI may succeed where point security products have failed:
- Signature-based anti-virus software cannot detect new malware (zero-day) attacks. However, using ASI to correlate server activity logs could identify that a given server is being used to contact many other end-points on a given private network and is sending messages out to an unusual IP address (probably a command and control server). The recent Flame malware worked in a similar way to this. ASI would have been one way of detecting such an attack in advance (others are pointed out in a recent article by Quocirca).
- An intrusion prevention system (IPS) may prevent multiple failed attempts to access a server from a particular bad IP address, but may not see that data is already being copied from that server due to a single successful penetration that was well enough disguised. Correlating log and event files could identify that two such events are related and lead to the prevention of a data theft. A so-called advanced persistent threat (APT) could have this sort of profile.
- It may be normal for a known user to access a given application remotely and out of office hours, but not if the request is coming from a location where they cannot physically be located. Correlating each access request against the previous successful access request and checking the geographic location of the devices used can identify a physically impossible event such as a user having moved from London to Paris in the space a few minutes or hours, even if the bona fide user’s job role could see them legitimately in both locations.
- It might be usual for an employee to access customer information; it may also be usual for them to download such data to a file for reporting reasons. However, for them to copy the data to a non-compliant location, for example a cloud storage resource in a certain country, should raise an alarm. There may be no malicious intent here; perhaps this is an example of a line-of-business commissioning its own cloud resources (an increasingly common practice). This requires rules that understand user access rights and compliance rules and the ability to correlate these in real time with attempts to copy data and the location of the target storage service.