Login
Cybersecurity detection is a criminal investigation. Cybercrime investigators are experts who are in limited supply. Sometimes their hunt begins while an intrusion is in process, but more often than not, it occurs after the attack when a crime has occurred. The investigation is taunting and less glamorous, realizing that it can take an average of 228 days even to identify the breach[i].
At that point, you’re looking to find out what your adversaries have seen or stolen, you want to plug the holes that enabled the hack and kick out or remove the adversary completely. Figure on an average of 80 days to resolve and contain a breach. Meanwhile, your adversary spends the epic dwell time in your environment to monitor your traffic and behavior before determining their next move.
Do the math on that exercise and, unless you have generous funding, you may conclude that your resources stretch further by focusing on prevention rather than detection. While eliminating detection may not be practical, you can at least realign your spending and shore up your prevention efforts with enhanced actionable information.
Several things have happened to make this shift possible. First, detection is now often automated and highly productive. Second, advance warning is better than ever. You can apply predictive analytics to leverage in-depth threat intelligence sources to produce real-time, automated assessments of your security posture risks from device to cloud.
Making the shift from detection to prevention didn’t happen overnight for the Service public de Wallonie (SPW), the public administration arm of the French-speaking regional government of Wallonia in Belgium. SPW’s endpoint security team oversees 9,000 desktops, 1,300 servers, and 1,000 applications used by more than 8,000 employees.
When SPW implemented MVISION Insights, the security team sought to identify potential threats lurking outside the agency’s perimeter. Using data gathered from one billion sensors globally that have been distilled and analyzed by artificial intelligence and human experts, MVISION Insights provides comprehensive risk intelligence filtered for a specific industry and geography. It helps SPW’s security team to prioritize which threats and campaigns are most likely to target them.
Before making this shift, SPW’s team regularly spent hours checking out various security sites, lab reports, and news articles to track the latest threat campaigns. After deploying MVISION Insights, the same result arrived in seconds or minutes. Now they’re engaging in more proactive threat hunting and attack prevention by tapping into predictive assessments and adjusting their posture accordingly.
Organizations such as SPW illustrate that playing both offense and defense becomes necessary to reduce time-to-detect and dwell time. Detection is difficult for several reasons, most notably the deluge of advanced persistent threats (APTs). And it’s also complicated by the cost of threat hunting talent, given the current shortage of cybersecurity expertise.
These days there’s such an overwhelming amount of security data pouring into data lakes that manually aggregating and analyzing it to make sense of anything requires a fair amount of threat expertise. Then there’s the time it takes to triage and determine the following steps to thwart an attack. By the time you’re analyzing this data, at best, you’re in a reactive state with limited visibility and understanding of your local environment.
One effective way to streamline that process is to apply the proven MITRE ATT&CK® framework, which provides an excellent knowledge base to help with threat hunting and detection. We use that framework to better inform MVISION XDR powered by MVISION Insights, for example. As we mentioned in March, we align XDR with MITRE to greatly expand the depth of our investigation, threat detection, and prevention capabilities to prevent the attack chain with relevant insights.
In our leading role in the cybersecurity community, we gather a lot of intelligence and invest considerable time curating content to ensure that what we share is timely, accurate, and valuable. This is reflected in MVISION Insights with over 1000 threat campaign profiles. If you place MVISION Insights in your environment it goes beyond threat intelligence. You also gain prioritized threat insights on a likely attack targeting you, where your gaps are and what you can do. Introducing our new Proactive Evolution series to get regular information on how to become more preventive and protective with LinkedIn Live discussions, blog posts, and other intelligence from our cybersecurity expert contributors highlighting the power of MVISION Insights.
This new Proactive Evolution Series features helpful content intended for managing or building security operations to be more effective and preventive or for a CISO who wants to stay on top of changing best practices.
Detection is often done in reaction to an attack or a looming threat. Not every organization can do both detection and prevention equally well. That’s usually because they lack dedicated or experienced threat hunters or suitable detection technologies. By shifting your efforts to a proactive prevention strategy, you’re boosting your chances to harden your systems before an attack.
Click here to access McAfee Enterprise’s new Proactive Evolution Series content.
Event Replay
Understand how the adversary is working and how you stack up against them. Together, Raj and Brett dig into how MVISION Insights helps you determine which active threat campaigns you need to worry about, if you’re a target, and what you can do.
The post Why an Ounce of Cybersecurity Prevention is Worth a Pound of Detection appeared first on McAfee Blog.
The security industry is engulfed in the most asymmetric cyberwarfare we have ever seen.
The outcome of an Attacker’s mission may depend entirely upon a single misplaced charge on a single memory chip on a single server, perhaps the difference between a vulnerable and secure setting in a registry key, and the difference between success and failure to gain access to infrastructure, information, and identities (I3) to subsequently wreak havoc, disable critical operations or infrastructure, and put lives at risk.
The outcome of a Defender’s day depends entirely upon how well they secure trillions of charges across chips, computers, containers, clouds, and even cars against potentially thousands of simultaneous Attackers running millions of attacks, each scouring the Defender’s kingdom for the crown jewels of control and information.
This ridiculously uneven war between Attacker and Defender has been a well-known challenge in cybersecurity for some time, and a few fear-inducing statistics always find their way into the first few slides of PowerPoint presentations. However, this asymmetric dynamic remains perhaps the single most fundamental truth that should guide us to innovate and to design solutions to give our Defenders better outcomes every day. From this lens, first, we must discuss how to shape and prioritize the protection, detection, and response capabilities with which we will arm Defenders.
We must face some harsh and humbling truths that history has taught us about our asymmetric war:
A. Better incident response (IR) programs and better IR training will not solve this problem. Best practices and tool upgrades will win a few battles for the Defender. Still, research suggests a full investment in SOAR and other automation tools will at most reduce costs by roughly 60% for leaders over laggards, all while the cost of breaches continues to rise across all organizations. Investment in IR programs is unquestionably justified from a financial perspective, but that investment is equivalent to sharpening our spears around the campfire while waiting for the tigers to pounce in the long view of the asymmetric war.
B. Continued entrepreneurship and innovation in novel but transient security controls and frameworks will not solve this problem. Simson Garfinkel, currently Senior Data Scientist at the U.S. Department of Homeland Security, spoke of “The Cybersecurity Mess” and how “cybersecurity is a wicked problem that can’t be solved” almost a decade ago, which was arguably a much simpler and more manageable time for Defenders. Gartner’s Hype Cycle is an excellent value-lifecycle tracker for categories of inventions, and few categories have a faster ride on the Hype Cycle rollercoaster than cybersecurity. At best, security controls rapidly transition from revolutionary standalone products to line-item features on a data sheet as Attackers adapt to and overcome their main value proposition. Perhaps the next ten tigers are caught in camouflaged traps, but we soon notice that they have adapted to avoid them and even set their own.
So, do we accept our fate and ultimate defeat of the Defender at the hands of the Attackers? Or is there a Mars Shot initiative that could dwarf anything we have accomplished in the past, bringing symmetry to the war and erasing millions of person-years of Attacker experience and superiority in a flash? And what the heck does this have to do with eXtended Detection and Response (XDR)?
Almost 25 years ago, IBM’s Deep Blue overcame 1500 years of cumulative chess knowledge to defeat Garry Kasparov. Five years ago, Google DeepMind’s AlphaGo destroyed over 3000 years of accumulated techniques and strategy to supplant Lee Sedol as the greatest go player ever. Shortly after, Google’s next-gen AlphaZero rendered its own AlphaGo mentor obsolete, having learned chess and go without any human interaction. It seems unfathomable that human beings will even attempt to win these titles back, and we have deep reinforcement learning (Deep RL) to thank.
We have the same massively disruptive opportunity to give hope to the Defender by looking to embed self-learning automated AI systems into our prevention, detection, and response controls, as outlined by the MIT Technology Review discussing security uses for AIOps. Less a point on the Gartner Hype Cycle, and more an entirely new dimension of innovation, this cybersecurity AI system, like all AI systems, requires two major components to feed its hunger to learn: (a) large amounts of data related to the inputs and outputs of the I3 systems across the attack surface, and (b) reliable feedback mechanisms and workflows to train the algorithms. The precursors of these needs map readily to (a) the well-established SIEM and Security Analytics markets and (b) the newer EDR and emerging XDR markets.
Source: Sutton, R.S., Barto, A.G. (2015). Reinforcement Learning: An Introduction, pp. 54.
Allie Mellen, an analyst with Forrester Research who covers SecOps, has already written an excellent research report succinctly describing key strengths and weaknesses of these markets and the dynamics likely to unfold in the near term:
A. A convergence of critical technologies and capabilities from the SIEM, SOAR, and XDR markets is inevitable; and,
B. EDR and EDR platforms are the natural evolutionary precursors to XDR, given that endpoints have become pivotal nodes in attack chains.
EDR technology on computers, notebooks, and phones has proven to give us the most detailed and robust knowledge about end-user behavior and risk. EDR provides a natural data-rich progression to XDR on the Gartner 2020 Hype Cycle for Endpoint Security as the “next tech up” to provide meaningful and prescriptive training feedback to emerging AI platforms (e.g., IR Analyst A carried out Steps X, Y, and Z across Controls 1, 2 and 3 to negate Threat A). Through research such as Google’s multi-task machine learning exercise and Zhamak Dehghani’s groundbreaking rethinking of data architectures, we have also come to understand that future I3 datasets for AI consumption will likely reside in globally distributed data meshes and not monstrous and monolithic data lakes. The evolution from SIEM to Security Analytics and from EDR to XDR offer the preliminary steps to bring us to a fully integrated “DeepSecOps” platform that has the potential to turn the Attacker-Defender asymmetry on its head. For this blog, let’s define DeepSecOps as a platform or system that seamlessly and automatically integrates the components and processes described in the diagram above (and potentially more), with self-fueled learning and effective automated response as the fundamental goals.
There also exists a more foreboding reason to invest in XDR as a precursor to DeepSecOps. Tomorrow’s Attacker is honing their craft today: They will casually launch thousands of containers across a hybrid multi-cloud infrastructure designed to morph into multiple target infrastructure profiles with various off-the-shelf security controls already in place, and then unleash thousands of simulated attacks while their own Deep RL engine watches and measures its success.
Defenders should look to cybersecurity partners who offer them a clear path to build the foundation for a DeepSecOps future. What does this look like today? Some key considerations:
Make these considerations the tactical precursors to unleashing the DeepSecOps technology that will reframe and contain the Attacker-Defender asymmetry.
On what wings dare [they] aspire?
What the hand, dare seize the fire?
Whether you are building a SOC function with limited resources or maturing a well-established SOC, McAfee is here to help you simplify and strengthen your security operations with MVISION XDR. With MVISION XDR, you can proactively identify, investigate and mitigate threat actors targeting your organization before they can gain a foothold in the network. By combining the latest machine-learning techniques with human analysis, XDR connects and amplifies the early warning signals from your sensors at the network, endpoint, and cloud to improve situational awareness, drive better and faster decisions, and elevate your SOC.
To learn more about what MVISION XDR can do for you watch the video below.
* With apologies to William Blake for dragging his brilliant metaphor into the world of cybersecurity and with a nod to that early Wolverine comic.
The post Cyber Cyber, Burning Bright: Can XDR Frame Thy Fearful Asymmetry? appeared first on McAfee Blogs.
Imagine, if you will, a scene straight out of one of your favorite impossible mission movies. The background music is driving a suspenseful beat while the antagonist attempts to steal the latest technology from a very favored industry competitor called Rad-X Incorporated. It’s a trade secret that will change the industry forever, and if the villain achieves her mission, she will hold the future of aviation in the palm of her hand. She’s bypassed laser motion detectors, swung from the ceiling to avoid floor placed pressure plates, and even performed some seriously intense acrobatics to slip through video surveillance mechanisms. Then, at the apex of suspense while the music ascends to a crescendo, a hard thumping release, she reaches out to grasp a microchip placed in the center of the room on a pedestal as if the room were designed only to show off its magnificence. As her fingers gently nestle against the circuit… the music stops, the alarms sound, and she walks out completely and utterly undisturbed!
All the components in this scene were meant to record and detect when an activity occurs. But when we needed it most all that it amounts to is a noisy detection capability. It did not actually “prevent” the malicious actor from doing anything. Instead, the system merely let everyone know that it occurred… very anticlimactic if you ask me, and frankly not very useful if you’re the good guy.
SIEM technologies have been used in security operations for over 15 years for a few reasons. First, SOCs must be able to tell a story while performing incident response investigations. And to go back in time effectively, logged events of these activities can be more easily accessed if the events are stored centrally and for an appropriate longevity. So, when the police show up, the victim can accurately name the perpetrator. Next, because the data sources are so disparate, SIEMs can be used to correlate activities among usually unrelated feeds. For example, if a floor plate triggered, then a motion sensor fires within 15 seconds of each other, their collective severity may raise more of an alarm. And thirdly, centrally reporting on collective data allows the business to identify where it is effectively investing in control technologies. In this extended example, the victim can run a report monthly showing that the microchip pressure sensor triggered 5 times this month, while the others may have triggered only once or twice. Certainly, all these capabilities are just as important today as they were in 2005.
But there is one glaring gap: why isn’t there a better way to take corrective action after the incident occurs? Extended Detection and Response (XDR) capabilities have some similar outcomes as we would expect in 2021, but with an added response component… and in McAfee’s case, many response components. Some capabilities overlap SIEM’s, which is natural based on each use case, but both of which are still essential to the modern security operations program.
Figure 1: SIEM vs XDR Capabilities
While SIEM technologies, for the most part, allow its administrators to integrate through APIs with other technologies, the actions available are often limited in nature and fail to provide a seamless and consistent response option across the landscape. XDR, however, does just that. The platform is designed such that whether the system on which you are acting is an endpoint, network component, or cloud service, the security operations practitioner should expect to enjoy an intimate level of native control on that security control device. Performing actions like restricting further access, retrieving additional information, or gaining console capabilities should be as simple as a click of a button. With XDR, when the alarm sounded, Rad-X would have been able to simply click a button to lock the vaulted room and apprehend the perpetrator.
And since this is a differentiator between XDR and SIEM platforms, it should stand to reason that response capabilities should be a key factor when comparing XDR providers. McAfee offers some of the most robust response capabilities right out of the box such as quarantining affected assets, while simultaneously offering the ability to write your own for Windows, MacOS, or Linux.
While it is painfully apparent that data entering data lakes and massive data collections are regularly changing, data types are changing almost as frequently. SIEM technology, which is heavily based on collectors, parsing, enrichment, ontology, and more, often fails to address the ongoing change of data types on the data source. This means that the collectors need to be updated frequently. However, what if the data was first triaged and analyzed at the source and the results delivered to the collection and correlation points? This would address a large portion of the data type challenge while simultaneously expecting and embracing the idea that the data will continue to live at its source. Sure, there may be cases where the raw data needs to be shipped to mass storage for historical searching and hunting, but those are the minority of the cases. And, since the goal of XDR is not to meet log retention requirements as a compliance tool, it need not focus on collecting all events created.
When running a search in XDR platform, such as McAfee’s MVISION XDR, the searches can be run against mass storage or in real-time. Realtime searches allow the data source to perform the query against the raw origination of the event. And, since both capabilities are available, comparing deltas between the state of the data source is easily done. If Rad-X, were using XDR they would be able to ask questions of the corridors, cameras, and entry ways the villain was using throughout the attack. Instead, they were forced to wait for an event significant enough to have occurred to be alerted that the incident was now in the past.
Figure 2: XDR Logical Architecture
Figure 3: Traditional SIEM Architecture
As you can tell from the illustrations above, XDR offers security teams a simpler cloud-native service architectural model when compared to traditional SIEM. The majority of SIEM deployments require all the native infrastructure to be deployed as on-premises software or appliances or in IaaS. XDR can reduce the complexity of your security configuration and the expert resources required to operate it.
Rad-X’s CEO wants answers, and he wants them now! How did this happen? Did we know about this criminal and anything she may have been up to? Were we the only targets? What is our best course of action to investigate what happened here?
MVISION XDR is designed to answer exactly these questions.
MVISION XDR goes beyond consolidation of endpoint detection and response (EDR), network detection and response (NDR), and cloud detection and response capabilities as it leverages threat intelligence and analytical posture assessments from MVISION Insights to guide its ability to predict, to prescribe, and to help prioritize what’s most important in your organization. MVISION Insights would help Rad-X shift its focus left of the moment of impact by telling its defenders about the pending threats from the threat actor. Knowing that she was targeting aviation innovators and that Rad-X was in her line-of-sight would have helped, but it would also call out the gaps in defense capabilities based on her techniques and procedures.
Then, even if the incident were to still have occurred, MVISION XDR would be able to take advantage of its Artificial Intelligence data analytics by examining how the intruder behaved, what kind of artifacts were left behind on the floor, and what may be missing from the environment which “should” be there. It’s like having a virtual Sherlock Holmes analyzing each of your XDR incidents across endpoints, network, and cloud environments.
Rad-X suffered an unfortunate event, but they learned an incredibly valuable lesson: SIEM is important as it meets some critical functions, but XDR is more appropriate in performing action driven investigations, threat analytics, rapid response, and more. So, if you find yourself in a position like Rad-X and are curious about the value and benefits of XDR in your environment, take a page out of Rad-X’s playbook and consider MVISION XDR to provide a shift left in threat predictions, prescriptions, and prioritization. Consider MVISION XDR to enhance your incident analytics capabilities with cloud-based AI playbooks. And consider MVISION XDR to provide detection and response capabilities from device to cloud.
If you’d like to learn more about what MVISION XDR can do for you and how it is evolving at McAfee, join me for a live tech talk on May 25, 2021. I’ll be joined by Randy Kersey, XDR Product Manager at McAfee, to discuss how security operations teams can respond more effectively to incidents by harnessing their extensive security telemetry with the latest release of MVISION XDR. Be sure to register via LinkedIn. I hope to see you there!
The post Mission Possible: Hunting Down and Stopping Stealthy Attackers with MVISION XDR appeared first on McAfee Blogs.
The MITRE ATT&CK® Framework proves that authority requires constant learning and the actionable information it contains has never held greater currency. Likewise, XDR, the category of extended detection and response applications, is quickly becoming accepted by enterprises and embraced by Gartner analysts, because they “improve security operations productivity and enhance detection and response capabilities.”
It is less well known how these tools align to improve the efficacy of your cybersecurity defenses leveraging key active cyber security industry frameworks. In MVISION XDR there’s a dynamic synergy between the MITRE ATT@CK Framework and XDR. Let’s consider how and why this matters.
One of the biggest issues with XDR platforms, according to Gartner, is a “lack of diversity in threat intel and defensive techniques.” By aligning our XDR with MITRE, we greatly expand the depth of our investigation, threat detection, and prevention capabilities while driving confidence in preventing the attack chain with relevant insights.
With MITRE ATT&CK Framework in the hands of your incident response teams, you’re utilizing a definitive and progressive playbook that articulates adversarial behaviors in a standard and authoritative way.
The Framework is a valuable resource that contains a knowledge base of adversarial techniques that security defenders can reference to make sense of the behaviors (techniques) leading to system intrusions on enterprise networks.
In MVISION XDR, this synergy results in a shared source of truth. Adding MITRE ATT&CK into your SOC workflow is essential for analysts who need to conduct a thorough impact analysis and decide how to defend against or mitigate attacks.
Here are five powerful ways that XDR applies MITRE ATT&CK and helps operationalize the framework:
At first glance, the MITRE ATT&CK framework matrix, with its myriad of sub-techniques, reads like a checklist of concerns for your SOC analysts to evaluate. But approaching threat analysis or investigations that way may lead to a form of tunnel vision. Knowing that an attacker is not just limited to one set of techniques, MVISION XDR boosts your team’s efficacy by covering the entirety of the matrix including device, network, and cloud detection vectors.
MVISION XDR also increases your team’s situational awareness by making it easy to map and correlate tactics, techniques and procedures (TTPs) directly to MITRE ATT&CK information. XDR supplies visualizations that reduce the burden on analysts to identify patterns and assess the recommended prevention guidance.
As we’ve pointed out on other occasions, MVISION XDR can chain MITRE ATT&CK techniques into complex queries that describe behaviors, instead of individual events. MVISION XDR is hypothesis driven, utilizing Machine Learning and Artificial Intelligence to analyze threat data from multiple sources and map it to the MITRE ATT&CK framework.
Increasing the efficacy of your SOC team analysts, incident responders and other members of your team is obviously critical to producing smarter and better security outcomes including faster time to detect (MTTD) or remediate (MTTR). MVISION XDR also boosts team productivity and drives more accurate prevention by automating security functions like detection or response.
Armed with actionable intelligence your team can proactively harden the enterprise before an attack. When Gartner states that “The goal of XDR is improved detection accuracy and security operations center (SOC) productivity” we tend to think that integrating MITRE ATT&CK framework sets the standard in our competitive set.
At the end of the day, this winning combination of MITRE ATT&CK and MVISION XDR offers the C-level and Board sufficient level of evidence of resilience. A vibrant information exchange must be a two-way street. We work closely with the MITRE team and actively contributes to the development of new matrices to empower the broader MITRE ATT&CK community.
Hear more from a SOCwise expert on why MITRE matters.
The post 5 Ways MVISION XDR Innovates with MITRE ATT&CK appeared first on McAfee Blogs.
What is your organization’s readiness for the emerging eXtended Detection Response (XDR) technology? McAfee just released the first iteration of this technology, MVISION XDR. As XDR capabilities become available, organizations need to think through how to embrace the new security operations technology destined to empower detection and response capabilities. XDR is a journey for people and organizations.
The cool thing about McAfee’s offering is the XDR capabilities is built on the McAfee platform of MVISION EDR, MVISION Insights and is extended to other McAfee products and third-party offerings. This means –— as a McAfee customer — your XDR journey has already begun.
The core value prop behind XDR is to empower the SecOps function which is still heavily burdened with limited staff and resources while the threat landscape roars. This cry is not new. As duly noted in the book, Ten Strategies of World-class Cybersecurity Operations Center, written quite a few moons ago: “With the right tools, one good analyst can do the job of 100 mediocre ones.” XDR is the right tool.
SecOps empowerment means impacting and changing people and process in a positive manner resulting in better security outcomes. Organizations must consider and prepare for this helpful shift. Here are three key considerations organizations need to be aware of and ready for:
A baseline requirement for XDR is to unify and aggregate security controls and data to elevate situation awareness. Now consider what does this mean to certain siloed functions like endpoint, network and web. Let’s say you are analyst who typically pulls telemetry from separate control points (endpoint, network, web) moving from each tool with a login, to another tool with another login and so on. Or maybe you only have access to the endpoint tool. To gain insight into the network you emailed the network folks with artifacts you are seeing on the endpoint and ask if these is anything similar, they have seen on the edge and what they make of it. Often there is a delayed response from network folks given their priorities. And you call the web folks for their input on what they are seeing. Enter XDR. What if this information and insights was automatically given to you on a unified dashboard where situation awareness analysis has already begun. This reduces the manual pivoting of copy and pasting, emailing, and phone calls. It removes the multiple data sets to manage and the cognitive strain to make sense of it. The collection, triaging, and initial investigative analysis are automated and streamlined. This empowers the analysts to get to a quicker validation and assessment. The skilled analyst will also use experience and human intuition to respond to the adversary, but the initial triaging, investigation, and analysis has already been done. In addition, XDR fosters the critical collaboration between the network operations and security operations since adversary movement is erratic across the entire infrastructure.
Imagine if your SecOps gained high priority threat intelligence before the adversary hits and enters your environment. What does it mean to your daily SecOps processes and policy? It removes a significant amount to of hunting, triaging and investigation cycles. It simply prioritizes and accelerates the investigation. It answers the questions that matter. Any associated campaign is bubbled up immediately. You are getting over a hundred high alerts, but one is related to a threat campaign that is likely to hit. It removes the guess work and prioritizes SecOps efforts. It assesses your environment and the likely impact—what is vulnerable. More importantly it suggests counter measures you can take. It moves you from swimming in context to action in minutes.
This brings the SecOps to a decision moment faster—do they have the authority to respond? Are they a participant in prevention efforts? Note this topic is Strategy Three in the Ten Strategies of World-class Cybersecurity Operations Center where it is highly encouraged to empower SecOps to make and/or participate in such decisions. Policies for response decisions and actions vary by organizations, the takeaway here is decision moments come faster and more often with significant research and credible context from MVISION XDR.
XDR is an open, integrated platform. So, what does it mean to people and process if all the pieces are integrated and security functions coordinate efforts? It depends on the pieces that are connected. For example, if SecOps can place a recommendation to update certain systems on the IT service system automatically it removes the necessity to login into the IT system and place a request or in some cases call or email IT (eliminating a time-consuming step.) There is a heightened need for what–if scenario policies driven by Secure Orchestration Automation Response (SOAR) solutions. These policies are typically reflected in a manual playbook or SOAR playbook.
Let’s consider an example, when an email phishing alert is offered the SOAR automatically (by policy/play required) compares the alert against others to see if there are commonalties worth noting. If so, the common artifacts are assigned to one analyst versus distributing separate alerts to many analysts. This streamlines the investigation and response to be more effective and less consuming. There are many more examples, but the point is when you coordinate security functions organization must think through how they want each function to act under specific circumstances—what is your policy for these circumstances.
These are just a few areas to consider when you embrace XDR. I hope this initial discussion started you thinking about what to consider when embracing XDR. We have an online SOC audit where you can assess your SOC maturity and plan where you want to go. Join us for a webinar on XDR readiness where experts will examine how to prepare to optimize XDR capabilities. We also have a SOC best practices series, SOCwise that offers regular advice and tips for your SOC efforts!
The post Are You Ready for XDR? appeared first on McAfee Blogs.
Albert Einstein once said, “We cannot solve our problems with the same thinking we used when we created them”.
Security vendors have spent the last two decades providing more of the same orchestration, detection, and response capabilities, while promising different results. And as the old adage goes, doing the same thing over and over again whilst expecting different results is…? I’ll let you fill in the blank yourself.
SIEM! SOAR! Next Generation SIEM! The names changed, while the same fundamental challenges remained: they all required heavy lifting and ongoing manual maintenance. As noted by ESG Research, SIEM – being a baseline capability within SOC environments – continues to present challenges to organisations by being either too costly, exceedingly resource intensive, requiring far too much expertise, and various other concerns. A common example of this is how SOC teams still must create manual correlation rules to find the “bad” connections between logs from different products, applications and networks. Too often, these rules flooded analysts with information and false alerts and render the product too noisy to effective.
The expanding attack surface, which now spans Web, Cloud, Data, Network and more, has also added a layer of complexity. The security industry cannot only rely on its customers’ analysts to properly configure a security solution with such a wide scope. Implementing only the correct configurations, fine-tuning hundreds of custom log parsers and interpreters, defining very specific correlation rules, developing necessary remediation workflows, and so much more – it’s all a bit too much.
Detections now bubble up from many siloed tools, too, including Intrusion Prevention Systems (IPS) for network protection, Endpoint Protection Platforms (EPP) deployed across managed systems, and Cloud Application Security Broker (CASB) solutions for your SaaS applications. Correlating those detections to paint a complete picture is now an even bigger challenge.
There is also no ‘R’ in SIEM – that is, there is no inherent response built into SIEM. You can almost liken it to a fire alarm that isn’t connected to the sprinklers.
SIEMs have been the foundation of security operations for decades, and that should be acknowledged. Thankfully, they’re now being used more appropriately, i.e. for logging, aggregation, and archiving.
Now, Endpoint Detection and Response (EDR) solutions are absolutely on the right track – enabling analysts to sharpen their skills through guided investigations and streamline remediation efforts – but it ultimately suffers from a network blind spot. Similarly, network security solutions don’t offer the necessary telemetry and visibility across your endpoint assets.
Of Gartner’s Top 9 Security and Risk Trends for 2020, “Extended detection and response capabilities emerge to improve accuracy and productivity” ranked as their #1 trend. They noted, “Extended detection and response (XDR) solutions are emerging that automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability…The primary goals of an XDR solution are to increase detection accuracy and improve security operations efficiency and productivity.”
That sounds awfully similar to SIEM, so how is an XDR any different from all the previous security orchestration, detection, and response solutions?
The answer is: An XDR is a converged platform leveraging a common ontology and unifying language. An effective XDR must bring together numerous heterogeneous signals, and return a homogenous visual and analytical representation.. XDR must clearly show the potential security correlations (or in other words, “attack stories”) that the SOC should focus on. Such a solution would de-duplicate information on one hand, but would emphasize the truly high-risk attacks, while filtering out the mountains of noise. The desired outcome would not require exceeding amounts of manual work; allowing SOC analysts to stop serving as an army of “translators” and focus on the real work – leading investigations and mitigating attacks. This normalized presentation of data would be aware of context and content, be advanced technologically, but simple for analysts to understand and act upon.
SIEMs are data-driven, meaning they need data definitions, custom parsing rules and pre-baked content packs to retrospectively provide context. In contrast, XDR is hypothesis driven, harnessing the power of Machine Learning and Artificial Intelligence engines to analyse high-fidelity threat data from a multitude of sources across the environment to support specific lines of investigation mapped to the MITRE ATT&CK framework.
The MITRE ATT&CK framework is effective at highlighting “how bad guys do what they do, and how they do it.” While traditional prevention measures are great at “spot it and stop it” protections, MITRE ATT&CK demonstrates there are many steps taking place in the attack lifecycle that aren’t obvious. These actions don’t trigger sufficient alerting to generate the confidence required to support a reaction.
XDR isn’t a single product. Rather, it refers to an assembly of multiple security products (and services) that comprise a unified platform. An XDR approach will shift processes and likely merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.
The ideal XDR solution must provide enhanced detection and response capabilities across endpoints, networks, and cloud infrastructures. It needs to prioritise and predict threats that matter BEFORE the attack and prescribe necessary countermeasures allowing the organisation to proactively harden their environment.
McAfee’s MVISION XDR solution does just that, by empowering the SOC to do more with unified visibility and control across endpoints, network, and cloud. McAfee XDR orchestrates both McAfee and non-McAfee security assets to deliver actionable cyber threat management and support both guided and automated investigations.
What if you could find out if you’re in the crosshairs of a top threat campaign, by using global telemetry from over 1 billion sensors that automatically tracks new campaigns according to geography and industry vertical? Wouldn’t that be insightful?
“Many firms want to be more proactive but do not have the resources or talent to execute. McAfee can help bridge this gap by offering organisations a global outlook across the entire threat landscape with local context to respond appropriately. In this way, McAfee can support a CISO-level strategy that combines risk and threat operations.”
– Jon Oltsik, ESG Senior Principal Analyst and Fellow
But, hang on… Is this all just another ‘platform’ play?
Take a moment to consider how ‘platform’ offerings have evolved over the years. Initially designed to compensate for the heterogeneity and volume of internal data sources and external threat intelligence feeds, the core objective has predominantly been to manifest data centrally from across a range of vectors in order to streamline security operations efforts. We then saw the introduction of case management capabilities.
Over the past decade, the security industry proposed solving many of the challenges presented in SOC contexts through integrations. You would buy products from a few different vendors, who promised it would all work together through API integration, and basically give you some form of pseudo-XDR outcomes we’re exploring here.
Frankly, there are significant limitations in that approach. There is no data persistence; you basically make requests to the lowest API denominator on a one-to-one basis. The information sharing model was a one-way ‘question and answer’ leveraging a scheduled push-pull methodology. The other big issue was the inability to pull information in whatever form – you were limited to the API available between the participating parties, with the result ultimately only as good as the ‘dumbest’ API.
And what about the lack of any shared ontology, meaning little to no common objects or attributes? There were no shared components, such as UI/UX, incident management, logging, dashboards, policy definitions, user authentication, etc.
What’s desperately been needed is an open underlying platform – essentially like a universal API gateway scaled across the cloud that leverages messaging fabrics like DXL that facilitate easy bi-lateral exchange between many security functions – where vendors and partner technologies create tight integrations and synergies to support specific use cases benefitting SOC ecosystems.
Is XDR, then, a solution or product to be procured? Or just a security strategy to be adopted? Potentially, it’s both. Some vendors are releasing XDR solutions that complement their portfolio strengths, and others are just flaunting XDR-like capabilities.
SIEMs still deliver specific outcomes to organisations and SOCs, which cannot be replaced by XDR. In fact, with XDR, a SIEM can be even more valuable.
For most organisations, XDR will be a journey, not a destination. Their ability to become more effective through XDR will depend on their maturity and readiness to embrace all the required processes. In terms of cybersecurity maturity, if you’d rate your organisation at a medium to high level, the question becomes how and when.
Most organisations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace XDR’s capabilities. They are already investigating and resolving endpoint threats and they’re ready to expand this effort to understand how their adversaries move across their infrastructure, too.
If you’d like to know more about how McAfee addresses these challenges with MVISION XDR, feel free to reach out!
The post XDR – Please Explain? appeared first on McAfee Blogs.
Last month, I discussed the FedRAMP program’s basics and why it’s such a big deal for the federal government. In short, the program protects the data of U.S. citizens in the cloud and promotes the adoption of secure cloud services across the government with a standardized approach.
But within the FedRAMP program, there are different authorizations. We’re pleased that McAfee MVISION for Endpoint Access recently achieved FedRAMP Moderate Authorization, which allows users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).
As organizations across the country continue to adapt to a remote workforce, the U.S. government is “in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape,” Alex Chapin, our VP of DoD and Intelligence notes.
And he’s right – with the 2021 federal fiscal year in full focus, federal agencies are continuing to push cloud computing as the COVID-19 pandemic continues, creating a real need for security in these applications.
The FedRAMP Moderate designation allows MVISION to provide the command and control cyber defense capabilities government environments need to enable on-premises and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.
This is a massive win for the federal government as it continues to build out its remote workforce capabilities at a time when the GAO is continuing to release best practices for telework, highlighting how remote work is here to stay in the federal government.
MVISION Cloud is currently in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).
At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards to help the federal government secure its digital infrastructure and prepare for an increasingly digital operation. We look forward to working closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.
The post McAfee MVISION for Endpoint is FedRAMP Moderate As Federal Cloud Usage Continues to Rise appeared first on McAfee Blogs.
Over the past 9 months, the world has grappled with the COVID-19 pandemic. We have all felt vulnerable. With borders closed and curfews and lockdowns instituted, things that we can count on, like reliable energy and technology, have become more essential than ever… Especially now that most of us have to conduct work from home, we are grateful for reliable energy as it powers our lights, air, heating, and internet. It is imperative during these critical times that homes—and businesses—run smoothly, without any interruptions from cyberthreats.
Like many businesses during this vulnerable time, a leading North American oil and gas company was already bombarded daily by cyberthreats before Covid-19, but the onset of the pandemic and the transition to thousands of employees working from home only made it a bigger target. Since the start of the pandemic-induced shift to remote work, the company has experienced a much higher volume of campaigns by sophisticated threat actors.
To guard against these bad actors and reduce vulnerability, the company’s security team purchased McAfee’s MVISION EDR after a proof-of-concept bakeoff against two competing products. The McAfee solution’s integration capabilities, attractive pricing, and lack of dependency upon a complex and costly infrastructure placed it far ahead of its endpoint threat detection and response (EDR) competitors. The need to accelerate threat response increased the company’s sense of urgency to implement MVISION EDR.
With help from McAfee technical support experts, the company’s security team completed its roll out of MVISION EDR across 16,000 endpoints within just two weeks. Now that MVISION EDR is deployed, the IT security manager and his team have much greater visibility into threats across all endpoints, including those belonging to employees working from home. This increase in visibility and understanding has helped them quickly identify patient zero and follow the trajectory of an attack to understand its potential impact. With MVISION EDR, they are able to determine every lateral movement that took place and analyze endpoints to determine if they were affected.
With McAfee MVISION EDR, the company’s security team can easily prioritize alerts, quickly grasping which ones need immediate attention and which can wait. In the future they hope to leverage the solution’s artificial intelligence-guided investigations and automate tasks to keep improving threat analysis and threat hunting, all of which will shrink the time-to-response gap even more.
Another benefit for the security team is the ability to use MVISION EDR for inventory tracking; they also can easily check registry settings to monitor system licensing and ensure proper configurations. When they roll out new tools in the environment, for example, they use MVISION EDR to make sure that the systems are working properly and communicating the way they should.
As you find yourself spending all your time at home, remember the critical role your energy company and technology play to provide you comfort in a not so comfortable time. Cybersecurity is complex but to find out how we simplify handling potential threats to our customers, please read the case study. And get your questions answered by tweeting @McAfee_Business.
The post Energy Company Fights Back with MVISION EDR as Covid-19 Increases Threat Campaigns appeared first on McAfee Blogs.
Truebill, Chargebee, Fusebill and other financial apps have been inundating my social feeds and until recently I didn’t understand why I would need one of these apps. I’m the type that knows her bank account balance to the penny and I was shocked to discover that many of my co-workers and, of course, my college kid had no idea their balance was low until they tried to use their debit card and got declined. What also surprises me is how many people don’t know what is coming out of their bank account. I may not realize precisely how much my Starbucks addiction costs but I’m in security and I need my caffeine! Keeping up with the latest ways cyber criminals can infiltrate an organization or sneak past endpoint solution takes a lot of energy.
Then I got to thinking about these new apps that I can’t imagine why anyone would need to use – UNTIL I decided to try one….and then I discovered I too had been compromised by subscriptions and fees I had no idea I was being charged for. This led me to think about my false sense of security and how I felt I was protected because I checked my account and tracked what came in and out. I use my debit card a lot, I use it constantly for purchases and have it attached to Apple Pay, Pay Pal and you name it, it is linked.
So why am I bringing this up? Well, in your job you might have responsibility for corporate security…and you might be feeling pretty comfortable that you have everything under control, a bit like I did with my finances – but you don’t know what you don’t know. It’s all well and good (and indeed highly advisable) having an endpoint protection product in place but is it possible that this is giving you a feeling of security beyond the true situation? Could there be sneaky activity happening at a really low level that is getting past those solutions? I didn’t think so, until I installed the app and I discovered exactly what I didn’t know.
And that’s where EDR comes in – because EDR is designed to monitor what is happening on your endpoint devices, to track and trace activity, consolidate it and identify potential risks – the really good EDR solutions will also group related items into threads to speed up investigations, prioritize which groups should be examined first and even automate some of the investigation processes.
And don’t overlook the importance of that automation – when I was looking at my finances if the app I tried had simply overwhelmed me with massive amounts of information (some of which I knew, some of which was a surprise, all of which was mixed up together), I’d have likely looked once, and decided that I was right all along…everything was probably under control, and the effort involved in digging deeper was likely to be greater than any return I might have got back. But, it was automated, it consolidated the information, it simplified things…and ultimately it showed me exactly what I needed to know with minimal effort on my part. The net effect of that was a positive result. EDR is the same – I’ve spoken with customers who have tried it and simply given up because it’s proven to be too complicated. It can feel easier not to find out what you don’t know – but it won’t be as secure!
That’s what security analysts are loving about MVISION EDR. MVISION EDR helps find what is hidden and lifts it to the surface where it can be examined and then either allowed or blocked. But unlike my bank account, we’re not talking about 5 or 10 things you may not have been aware of, we’re talking about potentially tens of thousands each and every day. And that’s the other thing they love about MVISION EDR – not only does it make identifying these potential risks easier to identify, but it groups them together into a much smaller number of potential incidents, prioritizes those incidents so they know which ones to investigate first and even uses AI to guide those investigations and make suggestions as to how they can reach a resolution quickly and accurately. What’s not to love?
If you want to see what you have been missing check out MVISION EDR.
The post What Truebill and Other Financial Apps Have in Common With EDR appeared first on McAfee Blogs.
Cybersecurity professionals know this drill well all too well. Making sense of lots of information and noise to access what really matters. XDR (Extended Detection & Response) continues to be a technical acronym thrown around in the cybersecurity industry with many notations and promises. Every vendor offering cybersecurity has an XDR song to sing. Interestingly, some either miss a beat or require tuning since it’s still quite an emerging market. This can be intriguing and nagging for cybersecurity professionals who are heads down defending against the persistent adversaries. The intent of this blog is to clarify XDR and remove the noise and hype into relevant and purposeful cybersecurity conversations with actions. And observe the need for a proactive approach.
Let’s begin with what does XDR refer to and its evolution. As noted earlier, XDR stands for Extended Detection and Response. “extended” is going beyond the endpoint to network and cloud infrastructure. You will find this cross-infrastructure or cross-domain capability is the common denominator for XDR. XDR is the next evolution of a solid Endpoint Detection and Response (EDR). Ironically it was a term introduced by a network security vendor with aspirations to enter the emerging Security Operations market.
Industry experts have weighed in on this XDR capability for cybersecurity and agree it’s still relatively early to market. Gartner’s definition, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Gartner notes three primary requirements of an XDR system are; centralization of normalized data primarily focused on the XDR vendors’ ecosystem, correlation of security data and alerts into incidents and centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting. If you want to hear more from Gartner on this topic, check out the report.
ESG defines XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response. In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system. The cross-vector analytics must be enhanced to track advanced multi-stage attacks. In addition, implementation guidance such as reference architecture is needed to assure successful integrated workflows.
Forrester views XDR as the next generation of Endpoint Detection and Response to evolve to by integrating endpoint, network and application telemetry. The integration options are native where the integration is with one vendor’s portfolio or hybrid where the vendor integrates with other security vendors. The key goals include empowering analysts with incident-driven analytics for root cause analysis, offer prescriptive remediation with the ability to orchestrate it and map uses cases MITRE ATT&CK techniques and chain them into complex queries that describe behaviors, instead of individual events.
The common XDR themes from these XDR discussions are multiple security functions integrated and curated data across the control vectors all working together to achieve better security operational efficiencies while responding to a threat. Cross control points make sense since the adversary movement is erratic. Emphasis is on removing complexity and offering better detection and understanding of the risk in the environment and quickly sorting through a possible response. The range of detect and response capabilities also suggest that it cannot be done by one exclusive vendor. Many advocates an integrated partnership approach to unify defenses and streamline efforts across domains and vectors. It’s a more realistic approach as well since most organizations do not fulfil their entire security function with one vendor. While buying an XDR “suite” from one vendor is easier where most of the security tools come from one vendor, some critical security functions from another vendor should be included to drive a more effective detect and response. This is not a new concept to connect the security disciplines to work together, as matter fact, McAfee Enterprise has been professing and delivering on Together is Power motto for some time.
One more consideration on this unified and integrated security XDR theme, many vendors may proclaim this but look under the hood carefully. They may have a unified view in a single console but has the data from all the separate vectors been automatically assessed, triaged and providing meaningful and actionable next steps?
Another common XDR theme is the promise to accelerate investigation efforts by offering automatic analysis of findings and incidents to get closer to a better assessment. This makes your reactive cycles potentially less frequent.
Integrating security across the enterprise and control points and accelerating investigations are critical functions. Does it address organizational nuances like is this threat a high priority because it is prevalent in my geo and industry and it’s impacting target assets with highly sensitive data. Prioritization should also be an XDR theme but not necessarily noted in these XDR discussions. Encourage you to read this blog on The Art of Ruthless Prioritization and Why It Matters to Sec Ops.
After distilling the many point of views and the themes on XDR, it seems the core functions all focus on improving security operations immensely during an attack. So, it’s a reactive function
| XDR Core & Baseline functions | Why? |
| Cross infrastructure—comprehensive vector coverage |
Gain comprehensive visibility & control across your entire organization and stop operating in silos
Remove disparate efforts between tools, data and functional areas |
| Distilled data and correlated alerts across the organization | Remove manual discover and make sense of it all |
| Unified management with a common experience | From a common view or starting point removes the jumping between consoles and data pools to assure more timely and accurate responses |
| Security functions automatically exchange and trigger actions | Some security functions need to be automated like detection or response |
| Advanced functions—not noted in many XDR discussions | Why? |
| Actionable intelligence on potentially relevant threats | Allow organizations to proactively harden their environment before the attack |
| Rich context that includes threat intelligence and organizational impact insight | Organizations can prioritize their threat remediation efforts on major impact to the organization |
| Security working together with minimal effort |
Simply tie a range of security functions together to create a united front and optimize security investments
|
The end game is better security operational efficiencies. This can be expressed in a handy outcome check list perhaps helpful when assessing XDR solutions.
| Visibility | Control |
| More accurate detection | More accurate prevention |
| Adapt to changing technologies & infrastructure | Adapt to changing technologies & infrastructure |
| Less blind spots | Less gaps |
| Faster time to detect (or Mean Time to Detect-MTTD) | Faster time to remediate (or Mean Time to Respond-MTTR) |
| Better views and searchability | Prioritized hardening across portfolio—not isolated efforts |
| Faster & more accurate investigations (less false positive) | Orchestrate the control across the entire IT infrastructure |
McAfee Enterprise goes beyond the common XDR capabilities in the recently announced MVISION XDR and offers unmatched proactivity and prioritization producing smarter and better security outcomes. This means your SOC spends less time on error-prone reactive fire drills with weeks of investigation. SOCs will respond and protect what counts a lot quicker. Imagine getting ahead of the adversary before they attack.
Is XDR a solution or product to be bought or an approach an organization’s must rally their security strategy to take? Honestly it can be both. Many vendors are announcing XDR products to buy or XDR capabilities. An XDR approach will shift processes and likely to merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.
It depends on the organizations’ current cybersecurity maturity and readiness to embrace the breadth and required processes to obtain the SOC efficiency benefits. With the promise to correlate data across the entire enterprise implies some of the mundane and manual efforts to make sense of data into a better and actionable understanding of a threat are removed. Now this is good for organizations on both spectrums. Less mature organizations who do not have resources or expertise and do not consume data intelligence to shift through will appreciate this correlation and investigation step, but can they continue the pursuit of what does this mean to me. Medium to high mature cybersecurity organizations with expertise will not need to do the manual work to make sense of data. The difference with mature organizations comes with the next steps to further investigate and to decide on the remediation steps. Less mature organizations will not have the expertise to accomplish this. So, the real make a difference moment is for the more mature organization who can move more quickly to a response mode on the potential threat or threat in progress.
If you are a medium to high mature cybersecurity organization, the question comes how and when. Most organizations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace the XDR capabilities since their efforts are already investigating and resolving endpoint threats. It’s time to expand this effort gaining better understanding of the adversary’s movement across the entire infrastructure. If you are using MVISION EDR you are already using a solution with XDR capabilities since it digests SIEM data from McAfee Enterprise ESM or Splunk (which means it goes beyond the endpoint, a key XDR requirement.) Check out the latest award MVISION XDR received amongst the many recognitions.
Hope this blog removed the jargon and fog around XDR and offers actionable considerations for your organization to boost their SOC efforts. Start your XDR journey here.
The post Unravel the XDR Noise and Recognize a Proactive Approach appeared first on McAfee Blog.
When I was a threat analyst, too long ago for me to actually put in writing, I remember the thrill of discovery at the apex of the boredom of investigation. We all know that meme:
And over the years, investigation leads became a little more substantial. It would begin in one of a few ways, but the most common began through an alert as a result of SIEM correlation rules firing. In this situation, we already knew for what we were looking… the SIEM had been configured to alert us on regex matches, X followed by Y, and other common logistics often mis-named as “advanced analytics”. As we became more mature, we would ingest Threat Intelligence feeds from third party sources. Eager and enthusiastic about the hunt, we would voraciously search through a deluge of false alarms (yes, the IPS did find a perimeter attack against Lotus Notes, but we had been using MS Exchange for over 5 years) and false positives (no, that’s not Duqu… just someone who cannot remember their AD credentials).
And the idea that these intelligence sources could spur an entirely new mechanic in the SOC, which we affectionately now refer to as Threat Hunting, was incredibly empowering. It allowed us to move beyond what was already analyzed (and most likely missed) by the SIEM and other security control technologies. True, we had to assume that the threat was already present and that the event had already established a foothold in the organization, but it allowed us to begin discovery at enterprise scale for indicators that perhaps we were compromised. I mean, remember we need to know a problem exists before we can manage it. But again, bad threat data (I once received a list of Windows DLL’s as IoCs in a fairly large campaign) and overly unimportant threat data (another provider listed hashes associated with polymorphic malware) led us down a rabbit hole we were all but too happy to come out from.
So, did all of that threat data guised under the marketing of “Threat Intelligence” really help us uncover threats otherwise acting in the shadows like a thief in the night? Or did it just divert our attentions to activity that was largely uninteresting while the real threats were just another needle in a stack of needles?
In most mature organizations, Threat Intelligence is a critical component to the SecOps strategy. Of course, it is; it must be. How else could you defend against such a copious amount of threats trying to attack from every angle? We have ontological considerations. Which threat actors are targeting my industry vertical or geography? Have I discovered any of the associated campaign indicators? And, most importantly, will my existing controls protect me? None of which could be addressed without a Threat Intelligence capability.
I remember working with a customer who was just beginning to expand their security operations resources, and they were eager and excited to be bringing in Threat Intelligence capabilities. The board was putting pressure on the CISO to increase the scope of accountability for his response organization, and the media was beginning to make mincemeat out of any business which was compromised by threat actors. The pressure was on and the intelligence began to flow in… like a firehose. About a month after it began, we spoke over lunch when he was interrupted at least 3 times for escalations. “What’s going on,” I asked. He told me that he was getting called day and night now about findings for which his team lacked complete context and understanding. Surely, they had more threat data, but if you asked him, that feature did not include “intelligence.”
Threat intelligence is supposed to help you filter the signals from the noise. At some point, without context and understanding, it is likely just more noise.
Consider the Knowledge Hierarchy: Data, Information, Knowledge, and Wisdom.
Intelligence is defined by dictionary.com as “knowledge of an event, circumstance, etc., received or imparted; news; information.” If we think of Threat Intelligence as a form of data feeding your Security Operations with a listing of parts, or atomic elements that in and of themselves serve little in the way of context, the SOC will regularly be forced to be reactive. With millions of indicators being pushed daily in the form of file hashes, names, URLs, IP addresses, domains, and more, this is hardly useful data.
When Data is correlated in the form of context using ontology, such as grouping by specific types of malware, we gain just enough to classify the relationships as information. When we know that certain malware and malware families will exhibit groups of indicators, we can better ready our controls, detection mechanisms, and even incident response efforts and playbooks. But, still, we lack the adequate context to understand if, in general, this malware or family of malware activities will apply to my organization. We still need more context.
So, at this point we form an entire story. It’s nice to know that malware exists and exhibits key behavior, but its even better if we know which threat actors tend to use that malware and in what way. These threat actors, like most businesses, operate in structured projects. Those projects, or campaigns, seek to find an outcome. They are targeting specific types of businesses through industry. At the writing of this article, COVID-19 has created such a dramatic vacuum in the pharmaceuticals industry that there is a race to create the first vaccine. The “winner” of such race would reap incredible financial rewards. So, it stands to reason that APT29 (also known as Cozy Bear) who notoriously hacked the DNC before the US 2016 election, would target pharmaceutical R&D firms. Now, KNOWLEDGE of all of this allows one to deduce that if I were a pharmaceutical R&D company, especially one working on a COVID-19 vaccine, that I should look at how APT29 typically behaves and ask some very important questions: what procedures do they typically follow, which tactics are typically witnessed and in what order/timing, which techniques are executed by which processes, and so on. If I could answer all of these questions, I could be reactive, proactive, and even prescriptive:
However, it seems the one instrument lacking in this race to context and understanding is predictability. Surely, we can predict with the knowledge we have whether or not we may be targeted; but isn’t it much more difficult to predict what the outcome of such an attack may be? Operationally, you may have heard of dry runs or table-top exercises. These are effective operational activities required by functions such as Business Continuity and Disaster Recovery. But what if you could take the knowledge you gleaned from others in the industry, compiled with the security footprint tied to your environment today, and address the elephant in the room which every CISO brings up at the onset of “Threat Intelligence”…
Will I be protected?
– Every CISO, Ever
This level of context and understanding is what leads to Wisdom. Do not wait until the threat makes landfall in your organization. My grandfather always said, “A smart [knowledgeable] man learns from his own mistakes, but a wise man learns from everyone else’s.” I think that rings true with SecOps and Threat Intelligence as well. Once we are able to correlate what we know about our industry vertical, threat actors, campaigns, and geo- and socio-political factors with our own organization’s ability to detect and prevent threats we will truly be wise. Thanks, Pop!
Wisdom as it relates to anti-threat research is not necessarily new. The Knowledge Hierarchy has been a model in Computer Science since about 1980. What is new, is McAfee’s ability to provide a complete introspective of your stakeholder’s landscape. McAfee has one of the largest Threat Intelligence Data Lakes with over 1 billion collection points; a huge Advanced Threat Research capability responsible for converting data gleaned from the data lake, incident response consultations, and underground investigations into actionable information and knowledge; and one of the largest Cybersecurity pure-play portfolios providing insights into your overall cybersecurity footing. This unique position has led way for the creation of MVISION Insights. MVISION Insights provides context in that we have the knowledge of campaigns and actors potentially targeting your vertical. Then, it can alert you when your existing security control configuration is not tuned to prevent such a threat. It then prescribes for you the appropriate configuration changes required to offer such protection.
MVISION Insights allows an organization to immediately answer the question, “Am I protected?” And, if you are not protected it prescribes for your environment appropriate settings which will defend against threat vectors important to you. This methodology of tying together threat data with context of campaign information and the knowledge of your security control configuration allows MVISION Insights to offer a novel perspective on the effectiveness of your security landscape.
When I think back to all of the investigations that led me down the rabbit hole, I wonder what my days would have been filled with had I such a capability. Certainly, there is an element of “fun” in the discovery. I loved the hunt, but I think having the ability to quickly arm myself with the context and understanding of what I was searching for and why I was searching would have accelerated those moments (read hours or days). I’m excited to discuss and demonstrate how McAfee is using MVISION Insights to turn knowledge into wisdom!
To take MVISION Insights for a spin, check out McAfee’s MVISION Insights Preview.
The post What A Threat Analyst Really Thinks of Intelligence appeared first on McAfee Blogs.
FreshRSS 