When we look at the current threat landscape, we’re seeing attackers turning initial compromises into successful attacks. Attackers spend hours, even days trying to get into systems. Once in the environment, they spend even more time moving laterally looking for sensitive resources. They’re able to sit undetected within an environment for long periods of time through different mechanisms. We are dealing with sophisticated cyberattacks that pit security teams against the clock.
Attacker Dwell Time Is Extensive
The average time to identify and contain a breach is increasing over time, not decreasing. According to IBM’s 2021 Cost of a Data Breach report, it took an average of 212 days to identify a breach and 75 days to contain it between May 2020 and March 2021. That puts the total dwell time at an astounding 287 days. Those are very long timeframes – too long – which is why we are seeing so many data breach victims. The longer attackers are in the environment, the more damage they can inflict including encrypting, corrupting and/or stealing corporate data – most recently for ransom.
Cyberattacks Are More Sophisticated
Attackers have gotten a lot more sophisticated in their techniques. They’re not doing anything that elaborate. They are adding additional techniques and doing things that are already tried and true. And they are changing malware. They’re making slight modifications to their techniques to be able to get into systems more effectively. It’s not new malware, it’s the same malware, but it’s new techniques that are being used to get that malware inserted into environments. In fact, we’re seeing old attacks that were used four or five years ago being leveraged today to create new attacks. One of the techniques that’s used effectively is dwell time. Attackers keep their actions low and slow over time because it’s extremely difficult for a system to detect that activity. Correlating that data over long periods is very hard for a person, let alone a solution.
Cyberattacks Are Multi-Cloud
As organizations are migrating to cloud, multi-cloud and poly cloud environments, threat actors are building multi-cloud attack campaigns. They’re hiding their activity across different cloud infrastructures that an enterprise is employing or using, and leveraging this as a threat factor for themselves. Companies are struggling with how to monitor and secure all those different cloud environments, depending on what the actual business model is underneath.
And Then There’s IOT
Attackers are also leveraging gaps in IoT security. We’re talking about any device that can be entered and enabled. It goes very far into industrial control systems, critical infrastructure, manufacturing systems. IoT can be small little devices like a Fitbit or video camera, but it can extend all the way to a device used by utility company in the field to be able to measure energy uses or electrical uses.
For many of these devices, security is not built in. There’s an explosion of those devices and security teams operating in a SOC have to be aware of those devices. Analysts have to be able to characterize IoT devices and detect threats that might be impacting them as they are targets for attackers to use as an initial compromise to get into different environments.
Rules and Patterns Can Only Detect Known Threats
The ability to detect these new techniques is very hard for solutions that use known patterns. A lot of solutions will be able to log and correlate information, but their ability to detect new threats out-of-the-box is very limited. The key is being able to automatically adapt to newer threats. You don’t want to wait for your vendor to come up with a new signature or pattern match or new model, because who knows if the vendor will or how long it will take them to do it. In the meantime, attackers are taking advantage of these new exploits and sophisticated cyberattacks.
It becomes a race against time. Without the right automation to detect early indicators of compromise and piece those together quickly, SOC teams are waiting for more and more security events to occur, and more indicators to happen before they can piece together the puzzle to be able to prevent an attack from being a breach. Prevention is harder than ever because the majority of initial compromises aren’t about vulnerabilities or gaps in outer defenses. It is about human users helping to escort attackers through the front door via clever and hard to prevent phishing attacks and social engineering.
Detecting New Threats Requires True Machine Learning
This is where proper self-learning machine learning and AI is critical to continuously analyze activity, behaviors, current controls and automate changes to the environment to harden against further attacks or new variants. True machine learning capabilities are critical for detecting emerging threats and variants out-of-the-box. Risk-based user behavioral detection and analytics are a requirement to help security teams pinpoint unusual commands being executed, unexpected external communications, data leakage of credentials or financial information, and the like. Self-learning machine learning models and artificial intelligence can adapt to changes, abnormalities, unusual user activity, etc. This is really what can help a SOC team automate different functions, improve tasks, and provide visibility into what’s going on.
Compromises are inevitable. We must improve security across the board so that the one compromise, which is all it takes to wreak havoc, is responded to early and efficiently to prevent subsequent damage. Gurucul can help. Contact us to learn more.
Watch The Webinar
Want to learn more about the benefits of machine learning and artificial intelligence to empower SOC teams to get ahead of threats? Watch our on demand webinar for more information.
On Demand Webinar: How to Optimize SOC Operations with a Next-Gen SIEM