Threat Monitoring Isn’t A Cure-All-Fix-All

Written by: Francesco Trama | Published on: April 7th, 2016

About The Author

Francesco Trama
As Chief Executive Officer and Founder, Francesco is responsible for the overall operating performance, leading the strategic direction of the company’s products and solutions internally while building technical and business credibility externally as a market-facing thought leader.

51069815_s.jpgThreat Detection services and systems are a lot like an antivirus program. How so? It’s built on the history of what we know, and to some degree provides a “good guess” of what potential some traffic may accomplish. This is also known as false-positives. So does it protect you from all harm to your network, allowing you to work worry-free? Absolutely not. If you think about this concept, threat detection systems provide the same euphoric feeling as antivirus. We feel invincible for a brief period. This false sense of security, or invincibility, is possibly leaving you more vulnerable than you realize.

For example, let’s say that you our company has just finished a thorough security audit. In the audit, they recommend a slew of things to patch, maintain, and adopt. In the recommendations are products which scan packets and traffic patterns for anomalies using proprietary algorithms.  These are based on well-known threat history, common conditions, and base lines of your own normal traffic. This would give a warm fuzzy for anyone. This even gives you an opportunity to maybe take a breath from the security grind? Right…? WRONG!

The Antivirus Problem

You have an antivirus program on your computer that you pay an annual fee for. So you don’t worry about potential threats, because that’s what you’re paying an antivirus for. Then, all of a sudden, your computer ends up with a virus. How? It’s because there are always new viruses being created, much faster than your antivirus provider can be alerted to them. And since they don’t know about the virus, they can’t protect you against it.

Then, you report that you have a virus, and they’re alerted to it. So now they can block it, right? Well, first they have to tear the entire thing apart and reverse engineer it. They need to figure out what it is and what it does, so that they can create a patch for it.

Once they’ve got the patch, they send out a software update to all of their customers, and they’re protected against this new virus. Then, another new virus comes along a few months later, and the whole process starts over again. And in the meantime, your computer, that you assume is safe behind its antivirus program, is vulnerable to a whole host of attacks that the software isn’t prepared for yet.

The Threat Monitoring Problem

This is exactly the way it works with threat intelligence. Threat detection systems and services do a great job, and you should definitely employ one if you can, just like you should definitely have an antivirus program on your computer. They provide you with advance and insight into the global patterns of cyber threats, so that you can understand what’s happening and protect against it.

13196908_s_2.jpgHowever, like antiviruses, threat intelligence is also based on history. It looks at what a particular virus, malware, botnet, etc. has done in the past, then dissects it and makes assumptions as to what it will do going forward.

Threat intelligence agencies put a lot of time and effort into putting themselves into the shoes of a potential cyber attacker. When a threat comes along, they dissect it and reverse engineer it, to uncover its inner workings and figure out how to stop it. Then, they publish their findings, so that the rest of the world knows how to stop it as well.

Unfortunately, these published findings then function as a cyber attacker’s playbook for what not to do. When a new cyber attacker wants to find a way into a system, all they have to do is look at those findings and find a way around them. They look at the virus repositories and discover what viruses the threat intelligence agencies think they know, versus what they don’t know yet. In this way, they can build a customized virus that no one knows about yet, and use it to infiltrate companies’ unawares.

Small Problem, Small Solution

Even once a new problem IS detected, it might be a while before it’s solved. If a threat intelligence agency receives reports of only one or two incidents, then that particular virus won’t be as high on their priority list as one that’s sweeping across the nation. The problem will be flagged, of course, but unless it’s widespread, it may take some time before they’re able to address it. And of course, in the time it takes them to address the problem, it may very well become widespread.

If the attackers stay small, it may be a month or two before they know about the problem at all. The cyber attackers target very specific people and places, and use that to stay under the radar for as long as possible. The threat is so small that even if it is detected, it’s not recognized as a threat, but simply an odd anomaly, to be marked and investigated later.

However, just to reiterate, threat intelligence agencies are essential and hardworking. They stop a lot of potential threats in their tracks and keep networks safe to some degree, just like an antivirus program. The problem arises when you think that just having threat intelligence, or just having an antivirus program, is enough to keep your system secure.

The biggest threat to your network security is your own hubris. Thinking that your network is perfectly safe will lead you to be unprepared for the threats that can sneak past your firewall, or your threat intelligence. Your threat intelligence agency isn’t a cure-all or a fix-all, and treating it as such will only lead to security breaches.

Supplementing Your Security with Advanced-location Filters

There’s no such thing as a foolproof security system. So what can you do to keep your network safe? One of the smartest things you can do is to implement a Advanced-location filter on top of your regular security measures.

Many of the threats and attacks on your network originate from other countries. What that means for you is that, when you see a spike in traffic going to or from your network, to a country that your organization doesn’t normally do a lot of business with, it’s an immediate tip-off that it’s likely an attempt at a{{cta(‘97350a3c-dbe8-4912-9d67-85fe7aa50002′,’justifyright’)}} cyberattack. An Advanced-location filter can then filter out requests from that country based on their IP, so they don’t even reach your firewall, much less get through it.

Of course, it’s not a foolproof method of eliminating all threats. There’s no such thing. But for the threats that DO get through, the threat intelligence agency now has more time, and resources,  to concentrate on them and eliminate them, rather than being overwhelmed and overworked the way they usually are. A threat intelligence agency might not be a cure-all, but with the help of a Advanced-location filter, they can be an important asset in keeping your network safe and secure.  {{cta(’01bd0307-3e3c-4fbc-a816-b4156a6c3f8b’,’justifyright’)}}