Eric Cole to Enter Hall of Fame New Inductee on How Outbound Traffic Can Detect Trouble
Eric Cole to Enter Hall of Fame
Eric Cole
The best way to detect whether hackers have penetrated an IT system is to examine outbound traffic, says Eric Cole, the latest inductee to the Infosecurity Europe Hall of Fame.

A SANS Institute fellow and IT security author, Cole is being inducted into the Hall of Fame at the mid-spring Infosecurity Europe conference in London. In a pre-conference interview with Information Security Media Group, Cole discusses the current state of global cybersecurity, including steps organizations should take to mitigate cyber-intrusions.

When trying to identify vulnerabilities in their systems, most organizations focus on inbound traffic, but Cole points out that analyzing outbound traffic could prove more effective. "Prevention is ideal, but detection is where you want to focus your energy," he says.

Vulnerabilities could be exposed, he says, by analyzing three metrics: length of time of a connection, the number of connections and the amount of data leaving the system, and comparing those statistics with normal traffic patterns. "When we find systems that are compromised with command and control channels, they almost always deviate in those three areas," Cole says.

"So, if you now start looking at the outbound traffic, and looking for IP addresses that have an excessive number of connections, [with] very long connections with large amounts of data, that's going to be very, very indicative of compromised boxes," he says. "And that's where you're going to have to put a lot more energy.

"Trying to prevent attacks is good, but the real focus today in winning is recognizing that you will be compromised, so find, detect and stop those systems as quickly as possible, and minimize and control the damage."

Back to Basics

In the interview, Cole:

  • Asserts that organizations seeking good security must return to the basics: asset identification, configuration management and change control.;
  • Advocates that chief information security officers should be at least on par with chief information officers and report directly to an organization's top executives;
  • Suggests ways organizations can measure the effectiveness of their IT security programs.

Cole is founder of Secure Anchor Consulting and is a fellow and instructor at SANS, a cybersecurity educational organization. Earlier in his career, Cole served as senior vice president and chief technology officer of the Americas for security provider McAfee. At defense contractor Lockheed Martin, Cole served as chief scientist for information security and as a research senior fellow. He began his career at the CIA, where he designed and developed several secure communication systems.

Cole holds a number of patents involving IT security and has published a number of books, including the Network Security Bible; Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization; and Insider Threat: Protecting the Enterprise from Sabotage, Spying and Theft.

Around the Network