As cybercriminal tactics become more creative and complex, organizations will need to get better at establish network norms and detected activity that is out of the ordinary. Reporting on IBM’s 2012 Mid-Year Trend and Risk Report, Dark Reading noted the dangers that could follow weird behaviors and pointed out the leading challenges in monitoring for anomalous events.
IBM researcher Robert Freeman warned of emerging threat vectors that include attackers coming at targets through partner companies, hackers creating custom malware to combat known defenses and foregoing common techniques such as botnets for stealthier ones such as dedicated denial of service (DDoS) attacks that use domain name system (DNS) spoofing or amplification. Spotting the first signals of unusual activity will be key to corralling these threats.
"It's not necessarily about seeing that machines are talking at weird times of the days," Freeman said. "A lot is about seeing weird activity within your network, where machines are talking to the wrong systems, moving large amounts of traffic."
In order to detect these types of behaviors, companies can rely on anomaly detection systems and endpoint security suites, but the level of analytic capabilities needed to accurately predict and catch all problems may still be a work in progress. One malware researcher told Dark Reading that organizations may need to monitor individual users for anomalous behavior, not just broad network trends.
"The more granular that you can get, the better," he told the site. "You can look at the network as a whole and detect anomalies. It is better if you can look and see what individual users are doing and what individual devices are doing."
The challenge is that this type of monitoring approaches the territory of big data analytics.
“Today’s rapidly advancing cyberthreat landscape requires IT security teams to employ an adaptive intelligence framework that takes big data security analytics beyond just after-the-fact forensic investigation and applies it in real time to recognize the indicators of an advanced threat or breach,” security expert Mike Reagan wrote in a recent column at CRN.
While researchers at North Carolina State University recently showcased a new data-crunching anomaly detection tool for cloud systems, this type of solution is still evolving. At the moment, endpoint security remains the first line of defense, but organizations may want to start collecting network data for future analysis and take a few precautions against atypical behavior such as limiting the size of data transfers.
Security News from SimplySecurity.com by Trend Micro