When a 40% reduction in response time is a bad thing: 3 ideas for getting your undetected breaches under control

If you'd reduced your mortgage by 40% you might feel good. If you were eating 40% less junk food I imagine you might be pleased with your self-control. But when the audience at HP Protect 2013 heard that it now takes a typical

enterprise 40% less time to detect a security breach than it did a year ago the response was a little more sanguine.


I don't think it's because security professionals are cynical. I suspect that the reason for their lukewarm response was the raw numbers. A year ago, it would take over 400 days to detect a breach. That's over a year of bad guys sniffing around your secrets and sensitive data undetected. According to recent research, that number has dropped by 40% to roughly 243 days to detect a breach, which is a testament to the improved countermeasures and security intelligence gathering capabilities of the enterprise. However, as one of the attendees remarked to me "243 seconds is still too long when it's my credit card they're looking at."


They say time is money and in the dark corners of the cybercriminal world, it couldn't be more true. In a previous post, I talked about the business of security, observing that most of us measure the security market is terms of what we spend to “protect” ourselves. At over roughly $20 billion, it's a lot of money, but it's dwarfed by the estimated $104 billion cybercrime black market, money that comes from stealing and selling your data, your identity and your money.


While the hacktivists and nation states make the front page, it's the cybercriminal economy that I believe we should be most concerned about. It's their ability to monetise our data that funds a massive investment in research, exploitation and information sharing. 


The shift from cyber-bullies to cyber-thugs has upped the risk profile for businesses, reflected security jumping from 12th to 3rd place in the 2013 Risk Index published by insurance house Llyods. It's now so prominent in the public's mind that consumer credit card companies spend as much time advertising their security measures as they do their interest rates and loyalty points.


I asked senior vice president and general manager of HP Enterprise Security Products, Art Gilliland how he thought we might reduce the average of 243 days of undetected access to something closer to 243 seconds and he talked about three ideas that I thought were both powerful and simple;


1). Understand the adversary

The simplest first step every one of us can take to improving our security posture is to better understand how the modern cyber-thug operates. A seminal paper by Lockheeed Martin on the topic describes it as a seven step process, but it's variously described as between five and seven depending on who you talk to. Below is a summarized list based on the original Lockheed Martin white paper:

a. Reconnaissance - Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies. 

b. Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool. Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents deliver the payload. 

c. Delivery - Transmission of the weapon to the targeted environment. The three most prevalent delivery methods are email attachments, websites and USB removable media. 

d. Exploitation - After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code. 

e. Installation - Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.

f. Command and Control (C2) - Typically, compromised hosts "phones home" to a criminal's server to signal success and await further action. Once established, intruders effectively have “hands on the keyboard” access to your environment.

g. Actions on Objectives - After progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is stealing or exfiltration of your data. Even if you don't have data worth stealing, the intruders may use you as a hop point to compromise additional systems, such as those of your business partners who "trust" your credentials.


2). Exchange threat information

The idea of a Guild of Thieves might sound like something straight out of a fantasy novel, but in the world of cybercrime, it's a very real thing. Cyber criminals often specialise in each of the above seven areas. Think of it like Oceans 11, where everyone has a special skill that they bring to the gang. But with cybercriminals being spread around the planet, they need a way to get in touch with the right skills and people. To that end, they've built sophisticated information and skills exchanges that make LinkedIn and Facebook look like kid's toys. Ironically, they're better at sharing than we are. 


To help address the information asymmetry (that the criminals know more about us than we do about them), Art and his team launched a "threat exchange" called Threat Central where information about detected threats and emerging patterns of attack can be rapidly identified, shared and even automated responses created to help ensure that forewarned can be turned into forearmed. 


3). Assume the worst. Act now

Finally, and most importantly, we need to get moving. Both Art and guest speaker, Gary McGraw, implored the audience to take their own advice. It's not good enough to know we have application level defects and emerging malware threats. We need to turn that into action, whether that be through active threat responses such as identifying patterns of attack and automating countermeasures or by fixing known security defects in the code our developers create. 


In other words, don't wait until after the breach is exploited. Find the funds to fix the problem and educate your people or assume that 243 days isn't going to become 243 seconds any time soon.


More information:

Art’s Keynote from HP Protect

Link to Lockheed Martin report

Backstage videos from HP Protect



Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author
Paul Muller leads the global IT management evangelist team within the Software business at HP. In this role, Muller heads the team responsib...

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation