Though cyber attacks have been around for years, in 2014 there was an explosion in the volume of attacks and a marked increase in the losses and damages they inflicted. In 2015, this does not seem to be lightening up.
In February, Anthem health care insurers were compromised, putting 80 million current and former customers and employees at risk, followed in March by Primera Blue Cross, which added another 11 million records of the same. The full extent of these breaches may not be determined for months to over a year.
Along with cyber attacks, cyber-hack insurance policy issuance is also climbing. In 2012, insurers took in around $1 billion USD, 2013 saw a doubling to $2 billion USD, and 2014 saw premium intake grow to $2.5 billion USD. In addition to this analyst, Cisco CEO John Chambers, along with other notable industry thought leaders, is predicting that 2015 will be an even worse year for cyberattacks than 2014.
The highly risky threat landscape and the burgeoning problems it brings have shown us that traditional prevention and detection methodologies have fallen short and given rise to new and better advanced detection technologies such as Vectra Networks’ threat detection solution based on its X-series platforms and S-series sensors. The Vectra solution uses highly specialized data science and machine-learning algorithms analyzing network traffic to detect the subtle behaviors of an attacker spying, spreading and stealing across an organization’s entire network – from remote sites where attackers may enter to internal segments containing key assets they want to steal or destroy.
Defenses are failing and necessitating new technologies with out-of-the-box thinking for dealing with evolving threats. Historically, hackers hacked for notoriety or shock tactics; they tried to get in, do their deed, and get out as quickly as possible. A key component of their activities was escalating their permissions to root/administrator-level to change website content or defame. These sorts of activities drew attention to hackers and generally caused a swift response to change access credentials, extricate the attackers and then reverse any damage. When organized crime realized there was money to be made and entered the game, attacks became more motivated by money gained from the theft and sale of information.
As cyber attacks escalated to major crimes, so came a change in their infiltration strategy. The 2014 Verizon Data Breach Investigation Report (Verizon DBIR) estimated the time to compromise the network was 24 hours or less in 75% of the cases investigated. Once the attacker gained created a foothold, they kept a low profile, enabling them to reside in the compromised environment far longer. By making this fundamental change, the attacker does not raise red flags via the firewall or traditional intrusion detection/prevention or sandboxing technologies, let alone the system antivirus.
As long as the attacker acts like a normal user while gathering data, they do not trip any alerts put in place by system administrators and security, giving them far more time to gather that data.
The Verizon DBIR shows that the gap is widening between time to discovery and the time to detect the breach. That gap is already extensive with, ”the good guys rarely manag[ing] to [detect the breach] in a month of Sundays.”
This brings us to a couple of stark conclusions. First, prevention often falls short as a lone security strategy. This should not be a surprise to anyone, but too many organizations still rely on prevention alone. Second, it tells us that many traditional detection capabilities deployed within networks are also insufficient for providing visibility into threats. Once again, this is not to state that we should give up on detection technology, but that we need to reevaluate how we are going about detection within our environments. The first issue has its own benefits and challenges, but the rest of this post will focus on the second item.
A traditional problem with the detection piece is how to get the piercing visibility within the entire environment that is needed to detect malicious or nefarious activities as early as possible. This is where Vectra comes in. For the organization that has come to the realization that prevention will fail at some point and wishes to bolster their detection capabilities, Vectra is a next-generation detection solution providing continuous monitoring in the areas it is deployed.
Seeing the pervasiveness of the cyber infestation problem and understanding that total-environmental visibility is crucial in defense, Vectra developed the S-series sensor to expand the reach of its detection capability at a reduced cost of detection. Customers who had already deployed the Vectra X-series platform are now deploying the S-series sensor in remote sites and internal segments at 30% of the cost of the X-series while simultaneously broadening deployment capabilities. The S-series is deployed out in the network to do the initial data capture and metadata extraction, and send it back to the X-series for detection, correlation with the other S-series sensors and reporting through the Vectra UI and third party tools.
The S-series sensor works out of the box so threats are identified within minutes of deployment. Its plug-and-play installation means that it can be deployed in a manner that does not require IT to have hands on to get it up and rolling. Ultimately, this all translates into lower total cost of ownership (TCO), making it optimal for use where other detection technologies have been too expensive or to complex to go before.
The 2013 Ponemon Live Threat Intelligence Impact Report identified that if incident responders could get actionable intelligence within 60 seconds, breach resolution costs could be reduced by an average of 40%. This percentage is even higher in the case of the mega breaches like Target, Home Depot, and Anthem as the investigation costs balloon when extended post-breach investigations are required.
To get the data needed to stop advanced threats earlier and reduce exposure and costs, we need broader and deeper visibility at a reasonable level of management overhead and cost. The only way to do that is to have total visibility into activities across the network, and advanced analysis of those activities means that response personnel have the insight to react quickly with surgical precision.
If you are interested in learning more about the Vectra solution, check them out at http://www.vectranetworks.com/product/.