Why "creating a job" and detecting an advanced threat require the same thinking
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  ips threats advanced ibm apt q1 security network economy labs
0 Comments | 4,270 Visits
Comparing politics and economics with information security is one of my strangest hobbies, that is for sure. But, these are basically the only two things I care about besides the basics of being a human so it winds up happening quite a bit. Not to fear though, this blog won't venture into the land of any of my political preferences. Instead, I want to look at the similarities between two things that at first glance might seem to share few of them.
I want to begin by looking at this notion around, "creating a job" and what that means, or if it's even possible. If you are following the current election cycle in the US at all, you probably hear a lot about jobs and unemployment and see lots of different graphs saying we're either doing well or we aren't. However, everyone is saying that they want to create more jobs. But do politicians really create jobs? Well, unless we are talking about directly increasing the number of people on government payroll, the government doesn't create jobs. However, that is not to say that government doesn't play a role in this conversation. Government does quite a bit to create an environment where job growth is possible. Regardless of your political preference, the balls that are up in the air here are things like tax rates for businesses, crime, property taxes, educational achievement in the area, quality of the regional infrastructure, regulations, natural resources, market stability, location, and the list goes on. Some of these do represent competing interests (can't have lower taxes and more government services), but balancing all of these factors successfully can result in creating an overall climate where employers feel comfortable growing their business and bringing on new people. While the job growth number is any easy one to get your hands on, the affect that any one program or tax law change impacts that number is almost impossible to accurately quantify.
While not a perfect analogy, there is a great deal shared between creating a job and detecting/remediating a sophisticated threat. Tom Cross does this talk on Advanced Persistent Threat and one of the best elements of that discussion is around the "kill chain" of an attack (reconnaissance, exploitation, infection, command and control, internal pivot, data preparation, data exfiltration). There are a lot of things that an attacker has to do between deciding to attack a network, and leaving said network with the desired data. If you approach the problem from a kill chain perspective, the goal is to look at the entire chain of events and apply security counter measures along the way, each capable of alerting you to an attempted intrusion. Tom mentions the notion that you want to strive for detecting an attacker at minimum in two different points in the kill chain. Only one means your defenses were too close to unnoticed compromise. Additionally, just because one security technology didn't directly detect the attacker, doesn't mean it didn't play a role. Hardened defenses in one spot can force an attacker into using different tactics. As an example, if an attacker wants the information in a database that sits behind a web application, but the web application was coded securely, this forces the attacker to loop through the back end and possibly attack the individuals with access to that database. Let's say the attacker is eventually discovered because of irregularities in database user activity, does this then mean that the application vulnerability scanning tools used to make the web application didn't factor in thwarting the attack? Of course not. Does this reality make it harder to understand the impact of any one technology. That it does.
At this point, it's a good time to return to this analogy around job creation. In both cases end results are tangible (you have more jobs, you caught the bad guy), but it can be difficult to quantify the impact of any one investment or decision. Success in these scenarios is often predicated on systemic strength. Just as with job creation where you are trying to create an environment where job creation can take place, with advanced attackers you are trying to create an entire environment where the attacker can be detected and defeated. In practice, creating that environment involves a whole ecosystem of different capabilities and expertise that may or may not play a part over the course of any given incident.
With that in mind, I am pleased to say that today's announcements are a reflection of IBM's belief in this notion around the strength of the system. Today was the first announcement around our Advanced Threat Protection Platform, with our new anomaly detection appliance headlining the show.
There are also integrations between X-Force/our Network Intrusion Prevention System with our recently acquired Q1 Labs technology as well as the addition of "hybrid protection" to our Network IPS. The latter of these announcements complements the proven, ahead of the threat protection found in IBM’s Protocol Analysis Module (PAM), with the open source capabilities and common syntax of SNORT.
While there is always more work to be done, this announcement represents the latest example of what we are trying to do in security, which involves addressing complexity not by proclaiming simple solutions, or a one product fix-it, but by bringing together a lot of different technologies and capabilities to deliver something greater than the sum of its parts.