Threat sensors can stop hackers from doing harm
By Byron Acohido, ThirdCertainty
More companies than ever realize they’ve been breached, and many more than you might think have begun to put processes in place to respond to breaches.
A survey of 567 U.S. executives conducted by the Ponemon Institute and Experian found that 43% of organizations reported suffered at least one security incident, up from 10% in 2013. And 73% of the companies surveyed have data breach response plans in place, up from just 12% in 2013.
“Compared to last year’s study results, survey findings show encouraging signs that organizations are beginning to better prioritize data breach prevention, but more needs to be done,” says Larry Ponemon, namesake founder of Ponemon Institute .
Major data breaches have become a staple of news headlines. So it can’t be that companies are complacent. The problem seems to be that big organizations just can’t move quickly enough.
Home Depot was blind to intruders plundering customer data even as Target endured exposure and criticism for being similarly victimized just months before, possibly by the same gang.
In our connected world, it’s hard to keep pace. The Ponemon study found 78% of companies do not account for changes in threats or as processes at a company change.
Rise of threat intelligence
That’s where the trend toward correlating data from disparate threat sensors could begin to close the gap. It’s a promising sign that ultra-competitive security companies have begun to collaborate more on sharing and analyzing threat intelligence.
Boulder, Colo.-based security vendor LogRhythm, for instance, has formed an alliance with CrowdStrike, Norse, Symantec, ThreatStream and Webroot to share sensor data and compare notes on traffic that looks suspicious.
LogRhythm supplies a platform for culling and analyzing data from its partner vendors “to help identify threats in our customers’ IT environments more quickly, with fewer false positives and fewer false negatives,” says Matt Winter, LogRhythm’s vice president of corporate & business development.
Since announcing it’s Threat Intelligence Ecosystem last month, LogRhythm has received “considerable inbound interest from customers and channel partners,” says Winter. “Feedback has been very positive.”
Similar threat intelligence alliances, both formal and informal, are taking shape throughout the tech security world. The business model of Hexis Cyber Solutions, a year-old startup, relies on pooling threat sensor data from several security vendors, including antivirus giant Symantec and social media malware detection firm ZeroFOX.
Hexis applies analytics with the goal of accurately identifying – and automatically removing – clearly malicious programs.
“The state of the art today is a single point security product triggering alerts on particular things and putting a warning on a screen,” says Chris Fedde, president of Hexis. “We’re all about analyzing alerts and taking action on them. Anything that’s malicious we go ahead and remove.”
In one recent pilot study, Hexis tracked 5,000 computing devices and 13,000 user accounts of a U.S. medical center for 30 days. Hexis intecepected 35,000 incidences of suspicious outside contacts and removed 23 malicious files.
Those malicious files that got inside the medical center’s network included Dirtjumper, a tool used to conduct denial of service attacks; Tsumani, malware used for spamming and data theft; a remote access tool (RAT) used to take full control of a compromised computer; and an adware Trojan.
There’s a long way to go. But alliances to share threat sensor information, like the ones being pioneered by LogRhythm, Hexis and many other security vendors, seem destined to take root.
Someday in the not too distant future, it may not matter if intruders get inside the network, if robust threat intelligence systems are poised to cut them off from doing damage.
More on emerging best practices