Even the BEST System Requires Effective Compensating Controls
In any risk based system there is a finite probability that the entire system will fail from time to time. When the system is considered mission critical for an organization or individual, “compensating controls” are built in to prevent such failures from affecting overall system performance. The compensating control assumes the primary system will fail and responds accordingly. Thus, nuclear power plants have automated shutdown procedures that halt the fission reaction in the event the cooling system fails, large power boats carry small outboard motors for propulsion in the event the main engine fails, and skyscrapers have battery powered lights in the stairwells that activate when the power goes out.
The role of compensating controls in IT security is to assure that even when prevention systems fail, the security and integrity of networks, devices, and people is maintained. Information security compensating controls assume that even very well designed and operated prevention systems will fail periodically…which they do. Seculert’s Research Lab has studied one such failure mode that involves malware defeating the prevention layer, establishing presence on the enterprise network, and “beaconing out” to the perpetrator’s command and control servers. If the installed NGFW or gateway proxy is operating properly it would block most or all of this outbound communication. It turns out that none actually succeeds in doing so. In a report published in April 2015, Seculert reported that the proxy devices used by its customers fail to stop the beaconing malware from communicating 15-90% of the time.
The Seculert cloud-based breach analytics platform is designed specifically to provide a compensating control when these preventions systems fail. Using a combination of Big Data analytics, unique malware profiles, and machine learning, Seculert finds the malware that has either defeated the firewalls, IPS, sandbox, and proxy devices or been physically carried into the network on BYOD devices and external drives. By exploiting the one weakness all malware has, the outbound traffic malware must generate to complete its mission, the Seculert Solution reports only 100% verified infections allowing for rapid and accurate remediation.
The other compensating control benefit delivered by the Seculert Platform is the ability to provide continuous visibility on overall security system performance. This kind of visibility is critical for security teams to enable them to optimize the effectiveness of their overall security architecture and achieve the best security posture possible.
Cloud-Based Automated Breach Analytics Platform
The Seculert Platform resolves the issues created by the combination of threats that can now easily defeat perimeter prevention technologies and SIEM systems that generate 40-50 times the number of alerts that even large, well staffed Security Operations Center teams can process. In the classic “battle” between cybercriminal gangs and enterprise security teams, time is generally on the cybercriminal’s side. Having studied current prevention technologies and SOC operating procedures, the adversary knows that no enterprise can afford to evaluate any single suspect binary for more than a few minutes. They also know that once they establish “presence” on a corporate network, their malware can sit quietly collecting data unobtrusively for weeks or months without being detected.
The Seculert cloud-based automated beach analytics platform addresses the inherent weaknesses in prevention and SIEM systems by leveraging the activity logs of the installed perimeter devices. The Seculert Platform uses very sophisticated Big Data analytics and machine learning algorithms to identify infected devices based on their communication patterns over time. The analysis techniques used alters the balance of power between attacker and defender to put time on the side of enterprise security teams.
This sophisticated log analysis is combined with external contextual data that includes unique malware profiles developed by Seculert’s Research Lab, the company’s proprietary botnet interception network, and crowdsourced data that tracks malware behavior across all of the domains protected by Seculert. The Seculert Platform not only tracks infections attempting to move across domains, but how, exactly, the top prevention solutions are responding to those attacks. This results not only in improved detection of stealthy advanced attacks, but also improved visibility on overall security posture.
No Hardware, No Software
The Seculert Automated Breach Detection Platform is a 100% cloud-based solution that requires no new hardware or software to be deployed. Using a combination of automated traffic log analytics, a highly scalable elastic sandbox, and leading botnet interception technology, the Seculert Platform establishes and maintains continuous visibility on the behavior of any malware that infects our customer’s networks. Being a cloud-based service, the Seculert Platform deploys quickly, scales to meet the demands of the ever-changing threat landscape, and provides SOC/IR teams precise and accurate breach detection information reliably and cost-effectively.
Just one example of how the Seculert Platform benefits from being built as a cloud-based service can be seen from day one by observing the way in which the Elastic Sandbox works. While premises-based sandbox technologies are limited in the amount of time they can spend observing a suspicious executable, the Seculert Platform can observe any malicious behavior that might be triggered by longer term execution cycles, specific device configuration, or even geographic differences. This highly scalable approach allows the Seculert to build and maintain one of the largest behavioral profile archives of malware in the world.
To learn more about how Seculert’s no-hardware, no-software solution detects the presence of malware on your network, check out the white paper, “Combating Advanced Persistent Threats Through Detection.”