Formulating an attack-focused security plan
To successfully formulate an attack-focused plan, start with an assessment to find live attackers on the network, says MANDIANT.
Every network has vulnerabilities, but what matters most is what intruders are doing now, not what they could theoretically do. Therefore, businesses must find live intruders, contain and remediate them, and then address vulnerabilities.
These are the words of Richard Bejtlich, chief security officer at MANDIANT, who describes attack-focused security as another way of saying “threat-centric” security.
“You start by identifying how real intruders are already abusing your network. You don`t start with `vulnerability-centric` security, which focuses on finding vulnerabilities in the network.”
Bejtlich will speak at ITWeb`s 8th annual Security Summit, to be held from 7 to 9 May, at the Sandton Convention Centre.
His presentation, titled “Formulating an attack-focused security plan”, will discuss how organisations can prioritise resources against the areas intruders are actively exploiting.
“No security program has sufficient resources to address all vulnerabilities. Vulnerability assessments find thousands of problems in live networks. Security teams can only address a fraction of those issues,” he explains.
[Sidebar]According to Bejtlich, the industry recognises that phishing, attacking applications on publicly facing servers, and guessing credentials or security questions are currently the most popular attack vectors.
“The disconnect comes from priorities being placed on various defensive measures. Many security problems centre on poor IT - asset management, configuration management, data management and suchlike. Too many organisations want to start `pen testing` before they even know where their data sits.”
To successfully formulate an attack-focused plan, Bejtlich recommends starting with an assessment to find live attackers on the network.
He advises that businesses use network, log and host-centric tools and processes, powered by reputable threat intelligence. Following this, containment and remediation measures should be devised and implemented.
“Once the intruder is disrupted, review how he managed to gain and maintain access, if that is what happened.” He recommends thinking in terms of the cyber kill chain, or attack progression.
“Count and classify your intrusions per unit time, and measure the time elapsed from detection to containment,” he says.
Finally, businesses should build a security program that focuses on driving down the number of incidents and the time required to deal with them.
For more information, and to register for the Security Summit, click here.
Story by Kirsten Doyle