This blog will discuss a vision for ‘to-be state’ of enterprise security and targeted attack protection, and is the last part of this blog series.
In my last blog, I detailed the first step toward achieving our vision for enterprise security. To summarize, I proposed that we need to update our existing security products so they generate a steady flow of security-relevant telemetry (e.g., every login, failed or not, between every machine in the enterprise, metadata for every inbound email, every connection through the firewall, etc.) – even when that telemetry doesn’t appear directly related to an in-progress attack at the time it’s collected. This telemetry will be used in two capacities.
First, we will mine this collective telemetry to detect attacks that would otherwise evade any single myopic security product. While attackers may evade detection by a single security product, they can’t entirely hide their activities in your network. Many of these activities may seem innocuous at first glance, but when taken in context with other indicators, they can be used to identify an attack. The reality is that many attacks will only stand out when viewed across different sensors and time, and with hindsight knowledge.
Second, we will leverage this telemetry to drastically improve recovery and forensics tasks, should an attack succeed. For example, if we discover that a machine was compromised last week, and we have a log of all servers connected to by that machine since the initial compromise, we can instantly determine what enterprise assets may have been compromised.
So how can we leverage this telemetry? How can we mine it at scale? Well, to achieve our vision, we need to ingest it into a secure, elastic, multi-tenant big-data platform. Enterprises from around the world will forward their telemetry to this secure store. We’re talking trillions of rows of security-relevant telemetry, exabytes in size. Once we have this data in one place, the could-based security firm can get down to business.
In our to-be state, the cloud-based security firm will have analysts working around the clock to discover indications of new targeted attacks. Discovery will be accomplished through a set of proactive activities (e.g., ongoing reconnaissance of attacker networks, running data analytics over telemetry) and reactive activities (e.g., a customer asks the vendor to investigate a suspicious file, which is subsequently determined to be a targeted attack tool). These activities will yield a stream of indicators associated with attacks. These indicators can be as simple as a software file or URL that is known to be implicated in an attack, or as complex as a pattern of related, otherwise-innocuous activities, that if seen together, are indicative of attack.
As new indicators are discovered, we then use both automated and manual mining to search through our big-data platform for them. So, say, for example that we just discovered today that a particular FTP server out on the internet is associated with a targeted attacker network – perhaps it’s being used as a drop server for exfiltrated intellectual property. We can search through all of our telemetry, from all of our customers for this indicator. Say that we find a file residing on one of Acme Corporation’s endpoints attempted to establish a connection to that very server three days ago. At the time, we thought the connection was innocuous. But now, in hindsight with our new intelligence about the malicious FTP server, we can look at this telemetry in a new light. We now know that the file that connected to this FTP server is likely a targeted attack tool (and yet another new indicator), and we can search through our archived security telemetry to determine where this file came from. Ah... by mining our data, we can determine that five days ago, this file was sent in an email originating from a particular email domain (yet another new indicator) to an HR person at Acme. Now we can search our vast repository to see who else across our entire customer base also received emails from the implicated email domain. These users are likely targets too. And once we know who they are, we can dig deeper to identify and stop attacks on their machines as well. What you can see is that we’re detecting indications of attack, not on a single endpoint, or even within a single enterprise, but across multiple enterprises by correlating across all of our security telemetry.
So how does this mining take place? Well, today most of it is manual – literally an analyst connecting the dots with hand-authored queries to our big-data system, as I illustrated in my example above. But, in the future, we expect that much of this security mining will be done by automated scripts. Scripts that recognize common methods of attack by fusing telemetry from multiple different sensors across multiple machines from multiple corporations.
Of course, all of this is happening in the background – the customer doesn’t need to worry about how these systems work. All they need to know is that when such an attack is detected, they will receive an alert on their cell phone, and, once they log into their cloud-based security console, they’ll find a detailed dossier on which systems are impacted. Because we have historical data on every activity by every device in the enterprise, we can minutely reconstruct the activity of the attackers, whether the attack happened minutes or months ago. We can determine the attack’s scope - which machines and data the attacker tried (and perhaps failed) to access. And we can remediate more quickly. And since this data is stored off-premise in a secure cloud, these indicators can’t be covered up or tampered with by an attacker.
Because in this model we have data from tens of thousands of enterprise customers, all stored in one place, we have the ability to connect the dots and detect attacks not just on a single machine, or that impact a single enterprise, but attacks that span entire industries, governments, or economic sectors.
Now, you might say – “This approach is primarily going to detect attackers after they’re already in.” And I’d say, “You’re partially right.” Today, the window of exposure for the typical targeted attack is months or years. With this new approach, we believe we can bring that window down to minutes, hours or days, meaning we can dramatically limit the scope of in-progress attacks. In many cases, we believe that we’ll be able to stop the attacker during their reconnaissance phase, before they have a chance to reach your key IP. Therefore, I’d argue that reducing this exposure by an order or two of magnitude is a huge proactive win. Second, the reality is that once we discover a new indicator of an attack on an enterprise, we can use this to not only remediate the current attack, but also to proactively block the same attacker from penetrating additional victim networks, or at a minimum, detect other in-progress attacks at a much earlier phase.
Now let’s take a look further into the future – what else could we do with this data? How else could we use it to better secure your organization? Well, we envision allowing customers to build their own analytic apps or purchase 3rd-party analytic apps from a secure marketplace to run on their own security telemetry data. Heck, it’s your data, so you should be able to analyze it, mine it, trend it, graph it, generate reports from it, and conduct forensics on it any way you want. So we envision having an ecosystem of 3rd-party security providers who you can hire to analyze your data. If a 3rd-party analytics engine can mine your security telemetry better than Symantec, then let them monitor your data and alert you when they detect a potential attack. Or if you need to generate your own graphs or reports based on your data, you’ll be able to do that. Finally, we also envision adding social features to this service. So when you discover something interesting on your network, you can securely share this information with your industry peers – share your policies and best practices with them, share artifacts of an attack, like IP addresses or file hashes, and share intelligence. What if you could double click on an IP address posted by one of your peers and instantly determine if anyone in your network has ever connected to that IP address? Wouldn’t that be powerful? These connections will help you to stay afoot of the threat landscape in a way that’s never been possible before. All in a secure manner.
This is the world we envision at Symantec. A world that is by no means free of attacks, to be sure. But a world in which you again have the upper hand, one where you can successfully defend your enterprise’s intellectual property and operations, and do so without an army of expensive security experts. And ultimately, a world in which you are able to focus your energies on your enterprise’s special purpose, whether that’s creating new drugs to cure cancer or building the next iPhone.
I’d be interested to hear your thoughts so make sure to leave them below. If you have any questions or would like more details on any of the topics mentioned above please contact the Analyst Relations Team at Symantec.