Is your network secure right now? Have any of your PCs or mobile devices been compromised? Before you even attempt to answer these questions, you need to pause and ask yourself: Can you actually answer either of these questions with any degree of certainty? Think hard about that one—because your job may depend on it. According to the recent Verizon Data Breach Investigations Report (DBIR), the average time it takes for an organization to detect a compromise or to discover an attacker inside its network is measured in months—and sometimes years—rather than hours or minutes. With many of the major data breaches in recent years, the company found out about the attack the hard way—with a phone call from a credit card merchant or the FBI reporting stolen customer data being exposed or used in the wild.
The traditional security model is no longer working
The problem is a function of the traditional approach to security. The standard model employed by most organizations for the last decade or more is broken, and it’s time for a new strategy that focuses less on prevention. You need to look at security through a lens of shortening that time to detect a compromise and actively hunting for threats.
It isn’t really a secret that the perimeter is dead. The concept of “inside the network” and “outside the network” and the idea that you can protect your network and data by simply keeping the bad guys out has been an outdated strategy for some time now. The explosion of mobile devices and BYOD (Bring Your Own Device) programs and the rise of cloud services have effectively removed whatever wall might have previously existed between your network and the bad guys.
The threat landscape has changed
Even if that was not the case, the reality is that the threat landscape shifted as well. While organizations were busy trying to harden the network perimeter, cyber espionage malware attacks like Stuxnet, Flame, and Duqu were silently spreading … undetected. While IT admins have been busy looking for unauthorized access and trying to keep the bad guys out, the attackers have been stealing credentials and logging in with valid usernames and passwords.
The vast majority of network compromises and data breaches have the appearance of authorized activity
The reality is that the vast majority of network compromises and data breaches have the appearance of authorized activity. Whether it’s an inside job by a disgruntled employee, or an external attacker using a username and password captured in a phishing attack, what you see on your network is an authorized user with valid credentials. The crucial key isn’t whether the authentication itself is valid, it’s whether the access is common behavior, and whether the actions taken once the access is granted seem normal or suspicious.
How can you defend your network and data against current threats? Effective security comes down to three things: visibility, context, and action. You have to pay closer attention. You need tools in place that can actively monitor all of the endpoints and devices on your network—that can combine business intelligence and threat intelligence to provide context and help you identify suspicious or malicious activity.
Original Article Link: http://www.tenable.com/blog/finding-threats-on-your-network-hunt-or-be-hunted-0