#Infosec17 Threat Correlation: Joining the Dots for Better Breach Defense

#Infosec17 Threat Correlation: Joining the Dots for Better Breach Defense

Threat correlation technology offers IT teams the opportunity to better detect and respond to damaging cyber-attacks, reducing false positives and enabling smaller firms to do more with less, according to WatchGuard Technologies.

The firm’s information security threat analyst, Marc Laliberte, told Infosecurity Europe attendees today that breaches have become the “new normal” thanks to the lure of big financial rewards for the black hats and less than optimal security tools.

SMEs are particularly at risk, suffering anywhere between 60% and 90% of cyber-attacks, and experiencing a fallout disproportionately more severe than their larger counterparts, he claimed.

With the mean dwell time for 2016 standing at 99 days, there’s a growing urgency to invest in tools like threat correlation, to detect attacks earlier in the kill chain, Laliberte argued.

Correlation works by first collecting data from multiple sources—the more, the better—before consolidating, normalizing, putting it into a readable format and removing anything irrelevant. Threats can then be scored according to their seriousness.

Thanks to event sequencing, the best tools are able to effectively piece together the anatomy of an attack, flagging events which on their own might not be enough to trigger a serious alert.

On their own, the initial stages of the Target attack—which resulted in the compromise of 40 million cards and 70m customer account details—may have gone unnoticed, Laliberte claimed.

Hackers initially compromised credentials from an insecure third-party and logged in via VPN to the network, before pivoting by creating new admin credentials and then logging an SQL query for a large volume of data.

The first two stages may have scored a 3 and a 4 on their own—suspicious but not necessarily indicating a critical security threat. However, when analysed together by event sequencing tools in combination with the succeeding SQL query, they would trigger a serious alert for investigators, Laliberte explained.

For large organizations, threat correlation offers an opportunity to turn big data into actionable intelligence, while smaller firms get to harness the power of a virtual SOC without the overheads, he claimed.

“The bottom line is that no protection is perfect, so we need to set ourselves up to stop threats that get by our defenses, and correlation is a great way to do that,” he concluded.

Source: Information Security Magazine