Detection and Response of APTs became an ultimate goal of Cyber Security and security services can't ignore this fact anymore

Author- Arindam Bhattacharya

When cyber security compromises taken place, it has already passed through multiple defense layers to attain the final goal of persistence those are very hard to detect because of the family of compromises involved, no independent traffic but a carrier in others service entities.

The time such activities detected (appearing  false positives or true positive?) that means the multi layer kill chain compromise already took place prior but the silo incidents are overlooked that intern gave a room for an unknown security breach for longer with no clues.

When a network operation is of sensitive nature and that "unknown factor" indicates there is an issue in multiple dimension - Capability, Hygiene and Maturity etc. 

Detection challenges are more in "on premise" than Cloud that has an offer for stricter policies & controls but compliance "in the cloud" sometimes remains a challenge due to absence of full stride solutions - meaning the customer managed app or infra layer may not provide rigid security due to absence of proper security modules. Moreover, "In the cloud" is always not effective due to poor configuration management that makes logical security not adequate even though capability of the cloud is there. 

"In the cloud" here means where user operates while "of the cloud" means where provider operates their services such as in IaaS where cloud provider manages physical hardware, Hypervisor, core network security etc. 

So, coming to the point - when the challenges are foreseen, a single fix may not be enough to treat without knowing the depth & stages of the compromise branches. 

Same time, researchers have also very limited visibility from outside but a view without "end to end" may not produce much result unless the product OEMs including customers and vendors are running their own Research units. Reproducing similar persistent threat (of unique type) is also not possible due to variant.of IT devices, aps, tools etc  but ensuring each level research focus may ease the process a lot. 

The gap here is absence of a mapped branches so that an analyst can understand what to look for. A complete mapping of a threat traverse is possible only if the threat is detected as a threat. But here, It's always not streight forward because automated threats detection never become easy and it's not only the potential behavioural but also a set of actions that would appear as real without having a clue that it has connection with the threat. That is where false positive confusion comes in. What looks as false positive, may not be always the one! For example a crtical resource accessed by a known and authorised user. Since the user is authorised and so, the event is false positive! But was there a correlation across multiple system to verify whether the user access stamp is available across other identity hops or whether the user was leave? It's easy to say but while implementing we have challenges as there would be multiple data points from multiple dissimilar systems as well but data can solve it and needs telemetry.data from all system within same time stamp or atleast nearest. 

Machine learning technologies are inbuilt with the security threat management products but they may not be much effective because they work within a set of defined rules and extra learnings are subject to time and by that "time" threats could have materialized and occured a incident. Same goes for deep learning models.

While a ML/ DL model will work best when the training data and inferences match near but either of these two if have differences, then wrong anomalies are likely that would force manual intervention to re-train the model. That means, even after adopting to ML/ DL possibilities are that challenges still remains. 

Also, there are challenges with the security of the models if they are not checked against vulnerabilities or against logical weaknesses. These are practical challenges but there are ways to deal with it. Training data needs to be more extensive and non exhaustive to allow machine to learn and make more accurate decisions. Correct correlations which are practically not possible, let machine resolve that.

To conclude, it's highly necessary that adopting cmmc, trust marks for vendors / OEMs be obtained in  every industry that may sensitize the issue more and develop better awareness & trust in the supply chain to deal with the ever increasing cyber threats. 

Comments

Post a Comment

Popular posts from this blog

Secure Key Management- An important risk carrier

Author : Arindam Bhattacharya Password and key management are the 2 most important element of data security. As businesses have gained more reliance on data, the data stakeholders along with other application agents, both are slowly developing extended risks. While password weakness can impact the entire business services, weak key management can push towards major data breaches. As of now both are going by the standard technology and processes but there are unknown factors that may cause secure status to marginal.  While data stakeholders are nothing but the business and application users, residents are the application agents (please read as module responsible for authentication and authorization) those are native or integrated with the application. These residents can bring unprecedented risks by the way they are developed or integrated.  Keylogging can happen anywhere - especially in a software driven ecosystem  and it's becoming an open secret. As a user, one may deve...
Read more

BPRFPC: An abstracted Architectural model for an End to end view

Author: Arindam Bhattacharya Good and flexible architecture models are yet to exist while there are several good initiatives on developing some guiding principles to assist the community on Architectural best practices.  However, this article is yet another attempt to simplify the architeutal ingradients at very high level so exploring in depth could be possible with the acquired knowledge.  Architecture is a foundation for any technical know how's and a model is the engine of that foundation that orchestrates everything together. Below are the general components of the proposed model. 1. Business - Keeping business out, no architecture could be meaningful. Business is where the Strategies & Needs are defined and everything else needs to align with the Business. So, business is always the "WHO" context. 2. Product - The purpose of the Business is revenue through a Product. The product may constitute anything which is presented to the clients, even a service, or an app...
Read more

Can Security issues be reduced with DevSecOps

Author- Arindam Bhattacharya DevSecOps merely cannot improve security unless there is a cultural shift. Security incidents/ issues could have been come down long before if there was proper attention given to the security processes. When we talk about any processes it is driven by both manual and automated processes.  While automation works best when the processes are made straight forward and desired outcome is known in advance but if this is not the case, intervention of manual process is what all needed. All gaps, incompleteness of the processes.are.because of such manual dependencies. DevOps pipelines helps to achive automation across the development and operational lifecycle but when security needs to be embedded, this require the same pipeline extended to security lifecycle as well. There are some practicality that works against this idea as because not all security processes can be invoked automatically.  For example - post a development module is set to form production,...
Read more