A missing link in many log analysis methodologies is human intelligence. While automated techniques are necessary for securing your network, without having a person who can dig into your log data to find the anomalies, you’re not able going to be able to detect everything.
Hackers write their code to bypass all the typical IDS, IPS, antivirus, etc. It’s their job. Until the signature becomes known, an automated system won't work. But there are other factors that come into play that can enable you to detect intrusions. In this video, Ron Bernier, Director of Tyler Detect, discusses why human intelligence is so important for consistent data breach detection.
Brendan: Over the course of the last year, we’ve seen some sizable organizations that have been victimized by data breaches. These are well-funded organizations with deep pockets. They’ve made substantial investments in a variety of different control technologies – antivirus, next-generation firewall, IDS / IPS, log monitoring, etc. A common denominator across a lot of these control technologies is that they rely on some degree of automation. And that said, these automated tools still aren’t proving adequate enough – because these breaches are continuing to occur.
Ron: Automation is good. But without human analysis... without human intelligence… without someone willing to dig into that data… and find the anomalies that aren’t necessarily spit out in an automated manner… you’re really not getting the bang for your buck that you need from a systems such as that.
Brendan: Can you share an example with us of a circumstance where a human analyst – or human intelligence – was brought into the mix and was able to effectively uncover a potential threat where a signature-based or an automated solution failed in that regard.
Ron: There are a couple of firewall vendors who are installed in our client-base that were doing really well at detecting [the] Angler [Exploit Kit]. At the time the known-signatures for Angler stopped working, they’re firewalls also stopped alerting on the same activity.
So, that shows that the signatures will work for a while, then they’ll fail. Then everyone will figure out what the new way to detect it is, [and the signatures will work again]. In that gap, you really need something other than a signature-based system to be able to detect things. That’s why you need a human to dig in and do the detective work.
Brendan: And it’s probably safe to say that those gaps present themselves fairly frequently. Right. If the attackers out there are modifying their code [to bypass signature-based systems].
Ron: Sure. As researchers uncover the techniques and make the techniques public, the hackers then have to go and change their techniques. So it’s a constant back and forth. We’re always going to be living with this malware now. I don’t think it’s ever going away. It’s going to be this constant struggle.
Yes – you’re going to need your signature-based systems in place because for spans, they are effective. But they don’t find everything. And hackers have that same technology – they are going to run [their code] through anti-virus, all the typical IDS / IPS, etc. – and write their code to bypass it. That’s their job… literally. That’s what they get paid to do.
THE SAGE ADVICE GUIDE TO CYBER THREAT HUNTING
As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in the Sage Advice Guide to Cyber Threat Hunting.