The results of a Ponemon Institute survey ofÃ‚Â 591 IT professionals whose day-to-day duties revolve around securing the networks of major corporations and big government agencies were released in full today. As LastWatchdog reported last week, The survey of IT pros revealed the extent to which CEOs, COOs and CFOs behave like ostriches, when it comes to grasping the scale and scope of cyberattacks against their respective organizations. In this LastWatchdog guest post, Tim Belcher, CTO of digital forensics firm NetWitness, which sponsored the study,Ã‚Â reflects on the wider context.

By Tim Belcher

Cybercrime has finally crossed the line from a looming threat to a cost of doing business. The now infamous Aurora attack on Google, Intel and other companies has underscored both the profitability of data theft and the acknowledgement by corporate America that, for now, the battle is being lost. Recent SEC filings Ã¢â‚¬â€œ from Google to Northrop Grumman Ã¢â‚¬â€œ are now including shareholder risk language to protect corporations in an environment where cyber defense is an inexact science, and where online pillaging presents explosive growth opportunities with little upfront investment.

Another recent discovery, the Kneber botnet, is also a perfect representation of the state of the cyberstate. A medium-sized instance of the well known ZeuS botnet, the operators behind Kneber slipped past what should have been more than adequate defenses within 2,500 companies. They remained there undetected for more than 18 months, and in one month alone managed a massive take totaling 75GB of sensitive data. For all that was average about the malware involved in Kneber and similar operations, they represent a new layered, multifaceted approach methodology that is advanced. Because a few experts can decipher the attacks after the fact, does not diminish the effectiveness of how these organizations operate.

A just-released study by the Ponemon Institute takes a first in depth look at what organizations are seeing and doing in terms of these advanced threats. The group of nearly 600 IT and IT security leaders defined advanced threats, as Ã¢â‚¬Å“a methodology employed to evade an organizationÃ¢â‚¬â„¢s present technical and process countermeasures which relies on a variety of attack techniques as opposed to one specific type.Ã¢â‚¬Â

By that definition, the results highlight systemic failures in people, process and technology that are too stark to ignore. Among the most prominent findings are:

Advanced threats are perceived as a major, growing problem.

83% believed their organization has been a recent target of advanced threats Ã¢â‚¬â€œ with 41% citing they are frequent targets.

70% believe that the growing volume of these threats is making for a much more dangerous technology landscape

Detection of advanced threats is lowo 46% took one month or longer to detect an advanced threato 45% discovered them Ã¢â‚¬Å“by accidentÃ¢â‚¬Â

Change is needed across the board

81% felt that their leadership lacked awareness of the seriousness of advanced threats

Only 24% agreed that prevention or quick detection of advanced threats is a top security priority in their organization

Only 32% report that their security-enabling technologies are adequate.

Only 26% report security personnel are adequate to deal with advanced threats.

When only 32% of consumers feel they have an adequate solution, and only 26% feel they have personnel that are adequate, then it is a safe leap to say the majority of Information Security leaders feel the current approach is failing. After two decades of growing awareness and emphasis, we find ourselves outpaced by our adversaries, and ill equipped to protect our networks and information. A common opinion among peers is that the heavy focus on compliance over the last few years has shifted focus away from response and protection, and provided a false sense of health. Another thing that is becoming all too clear is that most organizations are simply not agile enough to adapt to changing threats.

Borne in the days of slow moving viruses, and Ã¢â‚¬Å“inconvenience attacksÃ¢â‚¬Â such as distributed denial of service (DDOS) and website defacements, security innovation has proceeded along a simple, response-stimulus mentality. The goal has been to try and keep pace with attack development Ã¢â‚¬â€œ an approach that from the beginning has relied on temperance for acceptable losses and collateral damage. An attack needed to take place before a defense could be mounted, and there was no allowance for the geometric increases in attack velocity and complexity.

Conversely, attackers have become more sophisticated, targeted, and better financed. Criminal networks are smart enough to fly below the radar and use technology advances Ã¢â‚¬â€œ multilayer attacks, redundancy and both peer-to-peer and cloud computing concepts. They also continue to prey on the weakest link Ã¢â‚¬â€œ human nature Ã¢â‚¬â€œ to circumvent even the best defenses. Cases in point, Aurora reportedly breached defenses through a phishing attack via webmail, and Kneber used competing botnet technologies Ã¢â‚¬â€œ Zeus and Waledac Ã¢â‚¬â€œ to provide Ã¢â‚¬Å“backupÃ¢â‚¬Â redundancy.

The anonymity, flexibility and complexity of the Internet favors aggression and severely challenges defenses. Unfortunately, the combination of conventional wisdom, celebrity malware, fear-mongering, and marginal protection has perpetuated a security model that has long been rendered obsolete.

At the core of the issue is the value and vulnerability of human intelligence Ã¢â‚¬â€œ be it in expert analysis or collective awareness. Apart from discussions of specific technologies, there are three critical areas that must be addressed if we even hope to achieve more level cyber defense footing:

Achieve a comprehensive understanding of our networks. Without understanding what constitutes Ã¢â‚¬Å“normal,Ã¢â‚¬Â we will have little chance of preventing threats as they change and morph at an ever increasing rate. There must be an executive level commitment to mapping, understanding and addressing global business risk, not knee jerk threat protection. We also need to deploy solutions that are more robust Ã¢â‚¬â€œ that offer the agility to respond to any threat on the horizon, the real-time awareness needed to detect and thwart new attacks in real time, and a more mature capability to quickly understand and address those threats that WILL get through.

We must work together Ã¢â‚¬â€œ and share more information on attack vectors and threats. Forget breach and incident reporting thresholds, and set sharing thresholds and requirements. Our only viable chance at defending our networks and information relies on perspective. The faster your organization learns of new threats, and the greater the detail it has, the more likely it will be to thwart those attacks. Some may take from this the need to outsource to more expert professionals. Please see the next bullet.

The time for comprehensive, or even significant outsourcing of security has past. As outsourced vendors have become commoditized, so too have most of their offerings. In todayÃ¢â‚¬â„¢s world, organizations need to acquire, train, recruit, and retain security talent. Increasingly, the difference we see in success or failure falls squarely on talent.

Patch human vulnerabilities. Every employee maintains the information keys to the kingdom. The types of organized threats we are speaking of need only the smallest foothold. The time has past where security can remain a mystery to the general population. In the foreseeable future, employees will likely remain the way through the door for our adversaries, and therefore must contribute to the front line defenses. Even a modicum of realistic, required training for all employees would significantly reduce risk.

About the author



Tim Belcher isÃ‚Â Chief Technology Officer for NetWitness. He is responsible for the company’s overall product vision, development and technology roadmap. Previously, Belcher co-founded Riptech where he served as CTO. At Riptech, Belcher was the visionary behind Caltarian, the award-winning and breakthrough security event correlation technology that was the foundation for Riptech’s security monitoring services. Ernst & Young recognized Mr. Belcher for his success with the “Entrepreneur of the Year” award in 2001.

July 6th, 2010 | Guest Blog Post | Steps forward