Prevention, Detection and Response: A New Approach to Tackle APTs

Evolving Threats Require CISOs to Disrupt Attacks Across the Entire Chain, From Break-in to Exfiltration, Argues Martin Borrett, Director at the IBM Institute for Advanced Security.

What was once a wake-up call for organizations is now an almost daily occurrence. Businesses are under cyber-attack and, according to experts, the cost of these incidents is on the rise. The Ponemon Institute recently claimed that the average cost of a reported breach has grown by 15 per cent, reaching an average of $3.5 million.

Yet the sophistication of advanced persistent threats (APTs) is evolving at a much faster pace than the current patchwork of non-integrated point solutions can handle. X-Force – IBM's global team of security analysts – found that more than half a billion records of personally identifiable information were compromised last year.

Today’s CISOs need to consider security intelligence and behavioral analytics that go beyond traditional signature-based defenses and firewalls to disrupt attacks across the entire attack chain — from break-in to exfiltration.

Prevention is Mandatory

Prevention hasn’t always worked because the primary tools in use – firewalls and anti-virus – have relied on more reactive signature-based approaches. Makers of these tools have seen hackers simply bypass them, forcing many CISOs to recognize the limitations of traditional anti-virus and some to go as far as declaring “anti-virus is dead.” It’s no big surprise.

Even as attacks have become more sophisticated, successfully evading a variety of security measures, prevention remains an important element of a successful security strategy. Organizations require real-time protection that can stop these attacks and disrupt the attack chain in an effort to prevent compromise.

One approach is to break critical points in the attack chain with pre-emptive defenses on both the endpoint and the network. Through a behavioral-based approach, it’s possible to both detect and prevent even unknown attacks, including those utilizing advanced malware. For example, by restricting the use of Java, it’s possible to block malicious applets and ensure untrusted applications cannot perform high risk tasks. IBM’s X-Force Threat Intelligence Quarterly report showed that 96% of Java exploits come from rogue Java apps.

Detection Through Data

Data is at the heart of modern businesses and now the primary value target for cyber-criminals. Yet conversely, big data analytics are also the key to solving the next generation of information security problems.

Targeted attacks are multi-faceted and specifically designed to evade point technologies attempting to detect and block them. Once they are inside, the only way to detect this type of threat is by understanding the behavior of all of the individual attack components and using analytics to understand their relationship.

The good news is, thanks to big data analytics, organizations are now able to sift through massive amounts of data, both inside and outside the enterprise. Big data analytics can uncover hidden relationships, detect attack patterns, stamp out security threats and set priorities for remediation. Security intelligence requires an all-inclusive system that goes beyond traditional logging to ingesting vast amounts of data and applying behavioral analytics to actually determine when a breach might, or did, occur.

For example, a large petroleum company saw 25 attempted data breaches in one day. Stopping those breaches came down to analyzing data – anomalies, irregular behavior of applications and other nuances. The shelf life of the data is also effectively extended by using those breach attempts to learn more about the potential attackers. 

Integration Allows Response

Today it is not a matter of “if” an organization will be breached, but a question of “when” and “by how much.” Organizations can limit the breach impact and contain the exposure but this means having the ability to respond rapidly once the initial incident has been detected. An understanding of the complete attack chain and all of its related components is critical in order to comprehend the extent of the breach and potentially exposed sensitive data.

Integration of security capabilities, working in unison to stop an attack, is a critical requirement. This approach complements and expands upon traditional Security Information and Event Management (SIEM) which correlates event, anomaly, log and flow data.

For example, the abnormal behavior of a privileged user triggers an alert which allows you to block a network segment. Or perhaps the appearance of malware on a mobile device causes you to stop the authentication of a customer. Or the detection of a vulnerability in an application forces you to block its exploitation on the network. Those are examples of integration that close the gap between security domains and ensure that hackers lack the room to squeeze through enterprise security cracks.

Security threats continue to grow in volume, complexity and stealth but an integrated approach of prevention, detection and response based on security analytics can help to re-secure our enterprises.


Martin Borrett is Director of the IBM Institute for Advanced Security in Europe. He leads the Institute and advises at the most senior level in clients on policy, business, technical and architectural issues associated with security.

Martin leads IBM's Security Blueprint work and is chairman of the European IBM Security User Group community and a member of the board of EOS, the European Organization for Security. He is a Fellow of the British Computer Society, a Chartered Engineer (CEng) and member of the IET. 


What’s Hot on Infosecurity Magazine?