Continuous threat monitoring
“Know your enemy,” says Sun Tzu in the Art of War, simplistically speaking. And, simplistically speaking, in the current cyberwar the enemy are the bots, the trojans, the worms and viruses and all the other malware that seek to breach our cyber defences. The clear implication is a need to monitor and understand these threats.But the threats are continuously evolving, changing and increasing; so the solution would appear to be ‘continuous threat monitoring’.
There are many ways this can be done: by signing up to the ‘alerts’ RSS feeds almost always provided by the major systems and software providers; by monitoring the national CERT pages and in particular the one hosted by Carnegie Mellon university in the USA; or by subscribing to one or more of the alert providers such as Secunia. An alternative or additional approach is to monitor the blogs of leading security researchers, such as David Harley (ESET), Luis Corrons (PandaLabs), Rik Ferguson (Trend Micro) and Graham Cluley (Sophos); all of whom provide insight and commentary on the current threat environment.
But we said at the beginning: ‘simplistically speaking’. The enemy isn’t just the threats: it includes time, your time to do all of this. Amanda Finch, general manager at the Institute of Information Security Professionals, suggests a risk management approach to ease the burden. Continuous threat management should depend on the business and the risks it faces. “For example,” she says, “in manufacturing this is probably not necessary or cost-effective; but for utilities or banks, or high security situations, it may be. With the sophistication of the cyber threat and the techniques, methods and tools available to attackers, the days of retrospectively checking configuration, incident and event logs is wholly inadequate for most business, certainly where monetary value, IP, or sensitive personal information is involved.”
But still this is too simplistic. The enemy isn’t merely the malware, or the time to monitor all the threats – the real enemies are the vulnerabilities that allow the malware into the system; and the user. Microsoft research shows that the vast majority of breaches depend upon the user doing something he or she should not; and that a statistically insignificant number of breaches are caused by the infamous 0-day threat. Further research shows that the bulk of detected exploit threats appear after the vulnerability is patched by the vendor.
Stuart Aston, chief security advisor at Microsoft, takes up the story. “You have to start from a thorough understanding of the risk. If you understand your risk, it will help you understand how to monitor the threats. For example, a large percentage of breaches come from end users actively doing something they shouldn’t. Similarly, 99% of breaches occur via patched vulnerabilities. It follows that improving your users’ security awareness together with religious patching will defend against the majority of security attacks. This, coupled with a good defence in depth, is the best way to not merely monitor threats, but to defeat them.” In other words, it is an effective use of time to let the vendors and security researchers monitor and alleviate the threats, provided the company then acts on the findings, and patches its software.
Continuous threat monitoring, then, should be a combination of watching the industry, using risk management techniques to concentrate on the most pertinent areas and, perhaps most importantly, keeping all systems and software fully upgraded and patched.