Threat sensors can stop hackers from doing harm

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

More com­pa­nies than ever real­ize they’ve been breached, and many more than you might think have begun to put process­es in place to respond to breaches.

A sur­vey of 567 U.S. exec­u­tives con­duct­ed by the Ponemon Insti­tute and Exper­ian found that 43% of orga­ni­za­tions report­ed suf­fered at least one secu­ri­ty inci­dent, up from 10% in 2013. And 73% of the com­pa­nies sur­veyed have data breach response plans in place, up from just 12% in 2013.

Com­pared to last year’s study results, sur­vey find­ings show encour­ag­ing signs that orga­ni­za­tions are begin­ning to bet­ter pri­or­i­tize data breach pre­ven­tion, but more needs to be done,” says Lar­ry Ponemon, name­sake founder of Ponemon Institute .

Major data breach­es have become a sta­ple of news head­lines. So it can’t be that com­pa­nies are com­pla­cent. The prob­lem seems to be that big orga­ni­za­tions just can’t move quick­ly enough.

Home Depot was blind to intrud­ers plun­der­ing cus­tomer data even as Tar­get endured expo­sure and crit­i­cism for being sim­i­lar­ly vic­tim­ized just months before, pos­si­bly by the same gang.

In our con­nect­ed world, it’s hard to keep pace. The Ponemon study found 78% of com­pa­nies do not account for changes in threats or as process­es at a com­pa­ny change.

Rise of threat intelligence

That’s where the trend toward cor­re­lat­ing data from dis­parate threat sen­sors could begin to close the gap. It’s a promis­ing sign that ultra-com­pet­i­tive secu­ri­ty com­pa­nies have begun to col­lab­o­rate more on shar­ing and ana­lyz­ing threat intelligence.

Boul­der, Colo.-based secu­ri­ty ven­dor LogRhythm, for instance, has formed an alliance with Crowd­Strike, Norse, Syman­tec, Threat­Stream and Web­root to share sen­sor data and com­pare notes on traf­fic that looks suspicious.

LogRhythm sup­plies a plat­form for culling and ana­lyz­ing data from its part­ner ven­dors “to help iden­ti­fy threats in our cus­tomers’ IT envi­ron­ments more quick­ly, with few­er false pos­i­tives and few­er false neg­a­tives,” says Matt Win­ter, LogRhythm’s vice pres­i­dent of cor­po­rate & busi­ness development.

Since announc­ing it’s Threat Intel­li­gence Ecosys­tem last month, LogRhythm has received “con­sid­er­able inbound inter­est from cus­tomers and chan­nel part­ners,” says Win­ter. “Feed­back has been very positive.”

Sim­i­lar threat intel­li­gence alliances, both for­mal and infor­mal, are tak­ing shape through­out the tech secu­ri­ty world. The busi­ness mod­el of Hex­is Cyber Solu­tions, a year-old start­up, relies on pool­ing threat sen­sor data from sev­er­al secu­ri­ty ven­dors, includ­ing antivirus giant Syman­tec and social media mal­ware detec­tion firm Zero­FOX.

Hex­is applies ana­lyt­ics with the goal of accu­rate­ly iden­ti­fy­ing – and auto­mat­i­cal­ly remov­ing – clear­ly mali­cious programs.

The state of the art today is a sin­gle point secu­ri­ty prod­uct trig­ger­ing alerts on par­tic­u­lar things and putting a warn­ing on a screen,” says Chris Fed­de, pres­i­dent of Hex­is. “We’re all about ana­lyz­ing alerts and tak­ing action on them. Any­thing that’s mali­cious we go ahead and remove.”

In one recent pilot study, Hex­is tracked 5,000 com­put­ing devices and 13,000 user accounts of a U.S. med­ical cen­ter for 30 days. Hex­is inte­cepect­ed 35,000 inci­dences of sus­pi­cious out­side con­tacts and removed 23 mali­cious files.

Those mali­cious files that got inside the med­ical center’s net­work includ­ed Dirtjumper, a tool used to con­duct denial of ser­vice attacks; Tsumani, mal­ware used for  spam­ming and data theft; a remote access tool (RAT) used to take full con­trol of a com­pro­mised com­put­er;  and an adware Trojan.

There’s a long way to go. But alliances to share threat sen­sor infor­ma­tion, like the ones being pio­neered by LogRhythm, Hex­is and many oth­er secu­ri­ty ven­dors, seem des­tined to take root.

Some­day in the not too dis­tant future, it may not mat­ter if intrud­ers get inside the net­work, if robust threat intel­li­gence sys­tems are poised to cut them off from doing damage.

More on emerg­ing best practices

Encryp­tion rules ease retail­ers’ burden

Track­ing priv­i­leged accounts can thwart hackers

Impen­e­tra­ble encryp­tion locks down Inter­net of Things