April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Blue Coat Systems CTO says government cyber professionals need these capabilities in their 'toolbox'
By: Aubrey Merchant-Dest
Federal CTO, Blue Coat Systems
On a daily basis, federal cybersecurity professionals are inundated with warnings of anomalies on their networks and within their agency systems. These alerts, which come from anti-virus software and other solutions that identify irregular activity, provide a list of so many abnormalities that it’s almost impossible to separate a valid risk from a false alarm. For example, the U.S. Postal Service (USPS) Office of Inspector General recently released a report which stated that the organization’s system for collecting and analyzing IT security events was almost entirely reporting false positives for malware. This issue is not just limited to the USPS; it is a growing concern government-wide.
According to the 2016 Verizon Data Breach Investigations Report, 93 percent of attacks took only minutes, sometimes seconds, to compromise systems, while organizations took weeks, months, or longer to discover that a breach had even occurred. What causes more concern is that organizations’ internal security measures were not the ones to discover the breaches. Notifications often came from customers or law enforcement after it was too late. With so much at stake, it is important that federal cybersecurity personnel build a strong security posture that enables them to efficiently sift through the network noise and effectively identify true threats from all of those false positives.
In order to be more targeted in their efforts, here are five capabilities government cyber professionals need to have in their cyber “toolbox”:
Application Identification with Advanced Deep Packet Inspection
Application security should be at the top of every IT organization’s priority list. Since applications are commonly used to penetrate network defenses and carry out advanced targeted attacks, government agencies need to know about all of the applications that run on their network – this could be hundreds or even thousands – so that agency assets and vital information can be protected. Cybersecurity professionals need to not only be able to classify and identify these applications, but also extract detailed attributes from them to assist in clear discovery. Doing so allows cybersecurity professionals to have information on all applications and which hosts, users and artifacts are associated with each so that their complete context can be revealed for any investigation.
Machine Learning and Anomaly Detection
False positives can be eliminated by using a tool with a machine learning engine that automates the process of establishing a normal baseline of activity within an agency’s network. Statistical modeling can then be used to identify and report on abnormal activity. By using captured packet and metadata from the tool, the amount of human effort required for identifying malicious activity is greatly reduced, eliminating many false positives.
Security professionals can benefit from the automatic notification of targeted events in real time. By creating observables for suspicious, malicious, or prohibited behavior, the system can establish rules associated with those observed packet and network behaviors. As result, the system will automatically notify analysts of suspicious activity and violations. This tool can help analysts to automate common tasks such as checking for traffic against a list of known bad websites, receiving notification of unknown applications on the network, or sending an alert about the presence of encrypted traffic on non-standard ports.
Real-time File Brokering to Sandbox Technologies
Cybersecurity professionals also need a tool that can extract files in real time. If the file is not determined to be in the local “good” or “bad” file database, the tool immediately flags it for sandboxing detonation, analysis and risk scoring to identify any security issues. Once a determination is made, the tool can intelligently deliver only “unknown” URLs and files for further analysis, optimizing malware inspection and analysis, while eliminating multiple false positives. The tool should be able to also help determine a context for what happened before, during and after the malware is identified.
Layer 2-7 Analysis
A tool that can provide a variety of advanced analytics across the network layer – from packets, ports/protocols and applications to user sessions and files – strengthens security incident response with comprehensive and conclusive analysis. Some of the key capabilities the tool should include are: full session reconstruction; real-time reputation look-up; instant messaging, email and image reconstruction; root cause identifier; and, delivery of complete artifacts, not just packets.
A Comprehensive Strategy
While these five capabilities each represent a single mechanism to protect government networks from compromise, no single solution or approach is effective. It’s the integration and orchestration of these capabilities that will advance an agency’s security posture. In order to help guard against advanced threats, government cybersecurity professionals need a comprehensive cybersecurity plan and strategy in place to capture, reconstruct, analyze and remediate attacks. The best way to beat advanced threats is to orchestrate an integrated approach to security visibility, analytics, threat intelligence and enforcement. As a result, government agencies are able to focus on their most important priority – the mission at hand.