Defending Against Advanced Threats
Mike Nichols of General Dynamics Fidelis Cybersecurity Solutions on the New Essentials of Security Information Security Media Group • April 10, 2014
Advanced threats are like the weather. Everyone talks about them, but few have a solid defense plan - or even a solid understanding of the threat landscape. Mike Nichols of General Dynamics Fidelis Cybersecurity Solutions offers insight.
See Also: JavaScript and Blockchain: Technologies You Can't Ignore
One common misunderstanding of advanced threat defense is that it's all about stopping malware, says Nichols, senior manager, sales engineer for General Dynamics Fidelis Cybersecurity Solutions .
"Malware is just a very small subset of what the overall attack would be against you," Nichols says. "What an advanced threat really is: It's a person or a team of people that are trying to steal something from your network or gain some value by compromising your network. That malware is just one packet they might use."
And so to talk about advanced threat defense, one must look at the entire scope of the threat, he adds.
In an interview about advanced threat defense, Nichols discusses:
- Common misunderstanding about advanced threats;
- The elements of advanced threat defense;
- How organizations are putting these security principles and tools into practice.
As a Senior Manager, Sales Engineer for General Dynamics Fidelis Cybersecurity Solutions, Nichols interfaces directly with Fidelis Research & Development and plays a key role in determining product direction and architecture. Prior to joining General Dynamics Fidelis Cybersecurity Solutions, he served as a Security Analyst for Defense Point Security, where he worked for the Department of Homeland Security Operations Center to provide real time analysis of potential network intrusion attempts. He also served as a Sergeant and Intelligence Analyst in the US Army.
TOM FIELD: Tell us a little bit about your role with Fidelis.
MIKE NICHOLS: I'm a senior product manager here at General Dynamics Fidelis, and my main role is to listen to the customers, listen to what they want to get out of the product, and also interpret where the market is moving. [I] watch the threat landscape and identify where the new threats are moving toward, the new tactics aimed to attack people, and combine all that into a roadmap or a strategy for where the products need to move forward in the next year, or three to five years down the road.
Advanced Threats
FIELD: When it comes to today's advanced threats, what do you think people most misunderstand?
NICHOLS: When you talk about advanced threat defense, it's interesting because many different people have many different definitions, and many of the well-known analyst organizations out there are just now starting to wrap their hands around what it actually is and trying to define it. Gartner has one way of defining it, Forrester has another, NSS Labs has another way of defining what they call breach detection. There's many different ways that people talk about advanced threat defense.
But unfortunately, the way that it's propagating through the marketplace the most is what is being driven by this huge dollar marketing you see from large, high-profile organizations, and that is saying that advanced threat defense can be solved as long as you see malware coming across the network. You find that malicious object in the network, and now you've solved advanced threat defense. And that's really a misnomer and a disservice to our customers and the public at large to try to equate the two things together because malware is just a very small subset of what the overall attack would be against you. What an advanced threat really is, is a person or a team of people that are trying to steal something from your network or gain some value by compromising your network. That malware is just one tactic they might use, and actually you need to identify the full scope of that threat to actually say that you do advanced threat defense.
Threat Defense
FIELD: I'm going to take you into advanced threat defense now. Define that for us, please.
NICHOLS: At Fidelis, we define advanced threat defense as actually understanding the full scope of what we call the threat lifecycle. With an advanced threat, when a threat actor is targeting your organization or trying to get something from you, by either breaking your system or getting inside your network to take it somewhere else, there's a reason they're trying to get into your network and are focusing all of their efforts inside that network to compromise your perimeter. The way that they're doing that, whether it's a spear-phishing email or they've set up a drive-by download site or maybe they actually try to call in and get admin access to the network, those different ways are just the tactic that they use, the signature that they might use to get inside of your network. While it's important to identify that piece, you really need to be looking at the full scope of that threat lifecycle.
To actually be true advanced threat defense, you need to notice when they are trying to break in, but you also need to be looking at what's happening inside the network. Are people moving around the areas they should be moving around? Is there data flowing where it shouldn't be flowing? Is more of your company-confidential information coming off of file servers than is typical? And then, that visibility at the endpoint, or at the very end of the threat lifecycle, to say something is leaving my network that should not be leaving my network because if I stop this stuff from being stolen at the end of the day, then I've really solved the problem. I might have been affected for a while, but if they're not stealing my data, then I reduce a huge risk and a huge amount of remediation time and dollars from my customer data or whatever else might be stolen from leaving my network.
Core Components
FIELD: What would you say are the core components of advanced threat defense, and how should they work together?
NICHOLS: Gartner actually recently came out with a survey about advanced threat defense and classified these different styles of how, if you want to defend against your network, you should cover these different styles across the network. I think of all the different researchers and analysts I've looked at so far, they come the closest to what I'd say would be a real definition of covered advanced threat defense. That is that it's truly visible over your entire network infrastructure, from not just the perimeter getting pounded down but also, again, from data flowing across the network inside. What's happening transmitting from your sensitive data store and then what's actually leaving your network.
So, when we talk about what General Dynamics Fidelis actually considers to be the right way, you need that full-scope understanding of anomalous and malicious activities coming across the wire into your networks. So not just malware, but again it could be strange communications, somebody trying to spear-phish you or things like that. You need to be monitoring/watching for that, and also monitoring at the end of the day to make sure they're not stealing things, making sure you have a full understanding of what is leaving your network. You basically need to understand and have visibility over all the communications and make sure you control all the communications that are coming into and out of your house.
Looking to Build a Defense
FIELD: For organizations that are looking to build an advanced threat strategy, where should they begin?
NICHOLS: The best place to start for advanced threat strategy is to understand that visibility is key. I visit many federal and commercial sites, and a lot of times they have a budget for products, but they don't have the extra budget for people. Then every single person I talk to, every network defender out there will tell you that they have far more duties to accomplish than they have actual personnel to accomplish the task. Step one would be to fight as hard as you can tooth and nail to make sure that you have the personnel to staff your organization, and the security team that you need. On the other side of the equation, the guys that are attacking you, trying to come into your network, this is their full-time job. This is what they do all day long. So if you have a partial duty for security and partial duty for network admin or something like that, unfortunately it's not going to win the game. The first step is to make sure you have personnel that are trained up, ready to go, and you have an adequate number of people to actually do the investigations across your network.
Then the second step is to make sure you get the right products in. We talked a little bit earlier about integration of products and making sure you have the full coverage, so you're not just stacking up in one section or one style, but you actually have full coverage of visibility. So you need to somehow understand what's coming into [your] network and understand what's leaving it, some way to get visibility over all those things. But then at the end of the day, you also need to have some kind of memory, some kind of history of what's happening in your environment. When you do get that call from an agency or find out from somebody looking online at some data that used to be inside of your network that's now posted up for everybody to read, you have to be able to figure out how that got there in the first place. You need to be able to do root cause analysis and figure out, "I may have gotten an alert that something bad was happening but why did that bad thing happen?"
Too often I see security teams play whack-a-mole where they might have a malware defense system that's sitting in the network and saying, 'Hey, here's a new piece of malware that I found.' That's great, but what it doesn't tell you is why did that malware come into your network in the first place, how did that actually happen, what was the cause of that file object moving over to that whole system? It could be a secondary download, it could have been that somebody could have propagated laterally in your network and affected something and then pulled down another malicious object. If you don't do the root cause analysis to figure out where that came from, then tomorrow when you show up for work you're going to be solving the same problem that's now existing somewhere else over and over again. All that does is increase the time your team is spending on useless endeavors. You need to really solve the core problem, not just cure the symptoms. We call it proactive forensics here, which is the idea that you have this information about what's happening in the network, you understand, you've figured out the root cause. Now take all that data you've learned and feed it back into a system that can accept, not just your rules or what you want to look for but also go back in time and identifying a tactic that this threat actor used. Maybe you'll be able to uncover additional infections you didn't know you had in the first place.
Unique in the Marketplace
FIELD: What makes Fidelis unique in this marketplace?
NICHOLS: Fidelis is really a unique company because at the core of what we do, what we really started with and have developed over the years, is a deep content inspection of the communications traveling across the wire, and the ability to control those things as they move about. We're not saying that we are strictly a malware detection system, or just command and control or data defense. We cover all those, and at the end of the day that's just content, and we are the experts in finding content leaving the network, no matter how it's transmitting outside of your environment. When we ask what you are trying to find on your network -- what is it that scares you? -- we can find that for you. So whether it's malware coming in or other malicious ways to penetrate your network, command and control, propagation across the internal systems, and the data sets outside of the systems, we're experts at covering each one of those key areas in the threat lifecycle.
Also what we built into our system is an easy, kind of a one quick pivot, to be able to understand the full reason behind why this happened, that root cause analysis. In one system you're identifying the full scope of the threat lifecycle and also going back in time to figure out why it happened in the first place. We have an open policy engine, a very easy way for our customers to put the lessons they learned back into the system. We're not a black box. That said, we know better than you do. We do provide intelligence from our threat research team here, but we also allow you to leverage your own intelligence, because you understand your network better than anybody else. That feedback loop to be able to say here's why this happened, I figured out the root cause, and now I'm going to put the prevention mechanism in place so that I don't get hit by this thing again. I can ensure that I stop the actual technique of that threat actor, the way that he's trying to penetrate my network, not just the malware that's likely the tactic of how he's trying to get inside the network.
Fidelis Customers
FIELD: How are your customers succeeding with their advanced threat defenses efforts?
NICHOLS: We hear a lot of great stories from customers about how the defenses they put in place and what we help advise in the interoperability between systems, it's really solving some serious problems; we're stopping them before they become these headlines in the news. Just from the simple things of saving resources and remediation time, for example, using our ability to do root cause analysis and then dig deeper and find other possible problems with the network. We had one customer who we alerted on a control communication out of a host system, and here we are telling them that there's a remote access Trojan that's communicating out of your network. They were able to understand why that happened by just doing that simple, quick pivot back into the history and [seeing] that this came after they received an executable file inside of what looked like a spear-phishing email.
Right away they've done root cause analysis and understood why this thing happened in the first place, and what the holes [were that needed] work. But what they're also able to do is, using the information they gain, the fact that they understood where that spear-phishing email came from, it was a simple query on that domain of the sender to be able to find five or six more individuals in an organization that had received that same message, but had not yet clicked the attachment. They were actually able to go to their exchange server and rip those messages out, contact the users and make sure they knew [not to] run this thing because it's actually really bad. So at the end of the day, they only had one infected system instead of five or six, which saved them a lot of time. And time is money in the security business, right? So if you're not [having to] rip out hard drives, reimaging things and doing analysis on five or six systems to see what happened, you're only having to focus on one, it's a huge savings for them.
Besides that, there's all kinds of stories we hear from many different regions where our ability to detect a threat in real-time is an open source way of doing content analysis, basically malware detection with an open framework that everyone understands and can utilize. We're actually preventing these things from making it in your environment. The best way to reduce remediation time and remediation cost is to just prevent it in the first place. We're hearing a lot of great stories about how we're really helping the organizations to feel like they're getting the power back. No longer are they just looking at alerts and saying, okay, something else happened, let's go clean it up. But they now have the ability to go back and own their own network and say, "You're not going to get in here. I'm going to show you, I will fight you tooth and nail to make sure that I protect my network to the best of its ability."
