Home > All, Security Issues > Continuous threat monitoring

Continuous threat monitoring

“Know your enemy,” says Sun Tzu in the Art of War, simplistically speaking. And, simplistically speaking, in the current cyberwar the enemy are the bots, the trojans, the worms and viruses and all the other malware that seek to breach our cyber defences. The clear implication is a need to monitor and understand these threats. This article was first published by, and is reprinted here with kind permission of, Raconteur (Secure Business, the Times, 8 December 2011). For more information on special reports in The Times Newspaper, call Dominic Rodgers on +44 207 033 2106.But the threats are continuously evolving, changing and increasing; so the solution would appear to be ‘continuous threat monitoring’.

There are many ways this can be done: by signing up to the ‘alerts’ RSS feeds almost always provided by the major systems and software providers; by monitoring the national CERT pages and in particular the one hosted by Carnegie Mellon university in the USA; or by subscribing to one or more of the alert providers such as Secunia. An alternative or additional approach is to monitor the blogs of leading security researchers, such as David Harley (ESET), Luis Corrons (PandaLabs), Rik Ferguson (Trend Micro) and Graham Cluley (Sophos); all of whom provide insight and commentary on the current threat environment.

But we said at the beginning: ‘simplistically speaking’. The enemy isn’t just the threats: it includes time, your time to do all of this. Amanda Finch, general manager at the Institute of Information Security Professionals, suggests a risk management approach to ease the burden. Continuous threat management should depend on the business and the risks it faces. “For example,” she says, “in manufacturing this is probably not necessary or cost-effective; but for utilities or banks, or high security situations, it may be. With the sophistication of the cyber threat and the techniques, methods and tools available to attackers, the days of retrospectively checking configuration, incident and event logs is wholly inadequate for most business, certainly where monetary value, IP, or sensitive personal information is involved.”

But still this is too simplistic. The enemy isn’t merely the malware, or the time to monitor all the threats – the real enemies are the vulnerabilities that allow the malware into the system; and the user. Microsoft research shows that the vast majority of breaches depend upon the user doing something he or she should not; and that a statistically insignificant number of breaches are caused by the infamous 0-day threat. Further research shows that the bulk of detected exploit threats appear after the vulnerability is patched by the vendor.

Stuart Aston

Stuart Aston, Microsoft

Stuart Aston, chief security advisor at Microsoft, takes up the story. “You have to start from a thorough understanding of the risk. If you understand your risk, it will help you understand how to monitor the threats. For example, a large percentage of breaches come from end users actively doing something they shouldn’t. Similarly, 99% of breaches occur via patched vulnerabilities. It follows that improving your users’ security awareness together with religious patching will defend against the majority of security attacks. This, coupled with a good defence in depth,  is the best way to not merely monitor threats, but to defeat them.” In other words, it is an effective use of time to let the vendors and security researchers monitor and alleviate the threats, provided the company then acts on the findings, and patches its software.

Continuous threat monitoring, then, should be a combination of watching the industry, using risk management techniques to concentrate on the most pertinent areas and, perhaps most importantly, keeping all systems and software fully upgraded and patched.

Categories: All, Security Issues
  1. Jason Nadeau, Symantec
    January 10, 2012 at 4:22 pm

    Kevin – enjoyed reading your post. We at Symantec agree that cyber attacks are becoming more prevalent and sophisticated which is why we feel it is absolutely crucial for organizations to be proactive by updating security solutions and ensuring they have strong patch management processes in place to effectively mitigate the risk of an attack. As you pointed out — if businesses are not evolving their defenses to keep up with the constantly-evolving threat landscape, the simple fact is that they will be left vulnerable.

    Like

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s