Sponsored The SolarWinds attacks compromised tens of thousands of systems across US federal government agencies and private sector companies alike. The US will feel its effects for years, and it was largely avoidable. In fact, according to Lior Div, CEO and co-founder of Cybereason, if those systems had been using a concept called operation-centric security, they could have spotted it immediately.
Operation-centric security is a term that Div has coined to describe a new way of approaching cybersecurity. It correlates subtle chains of behaviour that reveal potential cyber attacks earlier by providing analysts with more context across devices and users. If you're a security operations center (SOC) analyst, it might just save your sanity - and your network.
Data, data everywhere, and all of it useless
Here's the problem with traditional cybersecurity threat hunting: SOC operators are coming at it blind. That sounds counterproductive, because they have data. Lots of it. More than they've ever had before, in fact. The problem is that it all looks the same.
That data is also fragmented. It comes from multiple tools, most of which don't talk to each other, because security teams have built technology frankenstacks comprising different point solutions. That means the red flashing lights warning you about suspicious events on your endpoints don't know about the other alerts flagging incidents in your network infrastructure. And neither of those know about the alerts emanating from your servers.
This leaves security teams looking at a sea of alerts, many of which might be part of the same attack. Without a correlated view at the back end, analysts have no way of knowing.
All they can do is dig into the most likely-looking alerts manually to see how - or even if - they are related. For most SOCs, there's no chance of looking at everything. Just ask Target, which famously triaged some of those flashing lights back in 2013 and still suffered a massive data breach as a result.
Even if security analysts are savvy or lucky enough to investigate the right alerts and spot an emerging attack, there's no guarantee that they'll be that effective. They might discover the attack too late to stop it.
Companies that invest in more tools to generate more of the same data end up exacerbating the issues. They spend more money on shoring up the same defences, but the returns don't justify the investment. That's what operation-centric security aims to change.
Time for a different approach
Cybereason's operation-centric security takes a different approach based on what it calls Malop ™ (malicious operation ). This looks at the entire attack from root cause to its current state, rather than as a series of isolated events.
Rather than an alert, the company's defence platform generates what it describes as a map of the attack, telling the security analyst the Malop's entire story, in context.
That requires a different approach to gathering and organising data. Traditional security systems focus on indicators of compromise (IOCs) such as known malicious IP addresses. While they're important, IOCs do little to protect against previously unknown attacks and do provide enough information about the nature of a malicious operation. For that, Cybereason believes you need to look at indicators of behaviour (IOBs), examining activities taking place in your infrastructure and how they evolve over time.
That starts with using agents to gather data across all parts of the infrastructure in what the company calls the three Es: from endpoint, through to the enterprise, and externally to everything. That means monitoring activity on every asset from the mobile device to the server and even cloud workloads.
Chewing through that much data was one of the most challenging tasks for the company. "Most people put data into a lake and then try to process it," Div says, "but we knew that the volume of that data would be too great." The company deals with infrastructure incident data points at extreme scale, and both the volume and velocity of that data is growing.
"So, we flipped it," Div explains. The Cybereason platform relays this data to a graph data structure running in memory. The company processes the data in real time before it goes into its data store, enabling it to build an emerging picture of any attacks in real time.
The graph database-backed system analyses the activity, including whether the activity it is examining is common within the organisation, and whether it has been identified as malicious in the past.
Looking for anomalies
It does this using machine learning technology, employing what Div calls a semi-supervised learning model. That uses traditional supervised learning techniques to label known entities in an infrastructure. "There is a software process and there is a user. There is a machine and there is a connection to an IP address. So there are a lot of things that are known, and they have structured relationships that you don't need to reinvent," he says.
Those assets also often interact with each other in known ways. But what happens when they begin interacting in ways that could present an advantage for an attacker? That's where the unsupervised part of the company's cybersecurity model kicks in. It looks for chains of behaviour that present an attacker with opportunities to advance their position in a targeted network, even for behaviour s that one would expect to see on a network. Because it processes data in real time before adding it to the existing historical data, it's able to do this in microseconds across the customer's entire infrastructure, he says.
This was what enabled Cybereason to detect the SolarWinds behaviours. The malware always followed consistent patterns, Div explains, following the same bootup behaviour and interactions with clients. "One day we saw the same system start to behave differently in a radical way," he says. A DLL impersonating Microsoft code began scanning the network.
"This is where we excel, because there are things that we know are triggers for malicious operations," he says.
After spotting these rare chains of behaviour, an operations-centric security approach uses historical data that has been gathered and trained, matching it against known tools and techniques. This enables SOC operators to visualise the entire malicious operation from its initial ingress point, providing a timeline of infection and lateral movement.
This timeline shows operators what tools were used in the attack, identifying their communications characteristics, both inside and outside the victim's network. The company enhances the data collected with extra information about tools, tactics, and techniques from MITRE Att@ck Framework and other sources.
The benefits of operational security
Operational security offers several benefits, says Cybereason. One of them is a reduction in the incident response window. Because its tool collects and analyses all this data in real time, the timeline that it presents to operators is up-to-the-minute. It shows all infected endpoints and the users that this puts at risk in the current moment. That means the security team can understand the scope and impact of an attack, which gets the company further ahead in those all-important first few minutes of an incident.
This is especially important in a cybersecurity battlefield where defenders have to out-manouevre attackers. If they can adapt more quickly than an intruder can adjust their tactics, it reverses the attacker's advantage.
Aside from helping defenders to work faster, this operating model also makes it easier for defenders to work smarter. Delivering information in context about ongoing attacks frees up operators to make more informed decisions about what they're seeing.
This turns operators watching and investigating those flashing red lights to tacticians responding to aggregated, structured intelligence. It also gives them time to explore other security initiatives such as security policies, architectural rethinks, and the like.
Finally, it lets security staff work together. By dismantling internal threat intelligence silos, operation-centric security helps SOC teams actually be teams rather than islands of blind activity. They can share insights about what's happening across the entire organisation.
Div likens this to a game of chess. Newbie players tend to focus on a few squares of the board at a time, planning moves in isolation and only thinking about the current position. Traditional SOC operators suffer from the same operational limitations.
Conversely, operation-centric security lets those SOC analysts look at the whole board at once, he explains. It lets you react to the current state of play while also giving you the context to understand how the game has developed - and to assess likely developments in the future. It's the difference between moving your piece randomly around the board and knowing the Sicilian Defence from the Italian Game. When it comes to cybersecurity, that's a valuable asset in the quest to avoid getting pwned.
Sponsored by Cybereason