Once upon a time, castles sought protection by digging a “moat”: a deep, wide ditch filled with water served as a primary defense against entry into the castle. Nowadays, the Cyberspace infrastructures of the castle (the corporate Network) is a borderless, non-contained collection of employees, contractors, partners, clients, portals, gateways, IP addresses, email threads with attachments, and contact lists that allow entry to the castle. These “entrances” are as deep as the Cyberspace itself, such that they are all connected and used on multiple devices: anywhere, anytime. Thousands pass through what is believed to be the corporate network’s secure boundaries.
You see, in the castle days, when an attack came, the castle keepers knew in advance who the attackers are, and could see them from afar before they even got close to the castle. This allowed the defense team to prepare, and to some extent defend the castle. This is exactly how most of the current cybersecurity systems are built to function - defend against "known" threats. This is what is called "definition-based” cybersecurity system.
Most (if not all) of the cyberspace defense products in use today, are not designed to deal with the new generation of targeted attacks that are sophisticated, and carefully-crafted in nature. The current cybersecurity tools (like firewall, anti-virus, anti-phishing, malware, etc) are part of a good IT hygiene and are useful and needed to deal with the vast majority of “known” threats. However, they fall seriously short of providing proper defense against advanced threats. They lack machine intelligence to identify, detect and defend against the smaller number of “advanced” attacks in real time. The new wave of attacks originate from the "inside" the network itself. They go undetected, without warning, and can evade all perimeter defenses. Network administrators should worry about the internal attacks.
These "inside attacks" are called "unknown bad." This means that there are no “signatures” or "definitions" to use for matching and to fire up a command of actions to stop the attack. What's missing in most Security Information and Event Management (SIEM) systems is the lack of context and behavioral & situational awareness. To fully protect again the "unknown bad" threats, the SIEM must be able to ingest and analyze raw streaming data. These are logs from all devices, OS, Apps and Services in the ecosystem, Flows, such as, NetFlow, IPFix, sFlow and subscribes to Microsoft® Windows® Active Directory™ service – from Cloud, Endpoints and other IT data sources. This is only a task that can be done through machine learning technology.
The bottom line is this: if these "unknown bad" threats are not detected on time (or better yet in real-time), the safety of the castle will be compromised for sure. All too often, detection is an afterthought. IT admins spend a lot of planning and money toward hardening protections, and then an intrusion detection system or a security information and event monitoring system is tacked on. This is wrong. Detection strategy and architecture have to be the equal of protection strategy and architecture. It is time for the IT admins to focus on detection and use machine learning technology to detect unknown threats and protect the castle.
* The credit for the phrase "Detection is the new protection" goes to Lalit Shinde from Seceon.
