In isolation, each of these activities are not regarded as detection or prevention events, but they may suggest a compromise when correlated with malware intelligence and other behaviors, even if they may be seemingly benign or unrelated.
To identify indicators of compromise once a threat has entered the network, you need a two-tiered approach with tools and processes that combine trajectory capabilities, big data analytics and visualisation to enable the following:
Tier 1: Automated analysis and response. Identify technologies that use trajectory capabilities to track system-level activities, file origination and file relationships and then leverage big data analytics for root cause and forensic analysis. When combined, these technologies can highlight and pinpoint subtle patterns of behaviours and weak indicators, suggesting a compromise has happened and a breach has most likely occurred. The ability to alert and automatically take action can speed up responses and help mitigate damage.
Tier 2: Actionable intelligence. Visualisation technologies are also important in developing a quick understanding of the chain of events leading up to and following a possible compromise. This allows you to apply context based on your expertise, perspective and knowledge of activities happening at that moment in your environment in order to make an even more nuanced determination of suspicious activity and identify indicators of compromise.
Identifying an indicator of compromise will then enable you to see what is occurring across your environment at that moment, look back at preceding events and thus control potentially risky activities. In the event that a breach has occurred, you can stop the attack and remediate by locating the point of origination and understanding the scope of the exposure.
Attackers are relying on the fact that defenders focus solely on using detection and prevention technologies to look for and remove threats. As a result, they are using weak signals to create nearly imperceptible indicators of compromise in an attempt to stay below the defenders' radar. Though detection and prevention remain essential to any security defence strategy, defenders also need to be equipped with the ability to link unrelated events together quickly so as to identify threats that have evaded defences. With decisive insight from trajectory, big data analytics and visualisation capabilities, defenders are now able to see that blip on the radar, hone in, understand it and take the necessary action.
Sign up for Computerworld eNewsletters.