The Internet provides access to various pieces of information, applications, services, and vehicles for publishing information. Today, the Internet has significantly changed the way we access and use information. The Internet allows users to quickly and easily access services such as banking, e-commerce, e-trading, and other services people access in their daily lives.
In order to access such services, a user often shares his personal information such as name; contact details; highly confidential information such as usernames, passwords, bank account number, credit card details; and the like, with service providers. Similarly, confidential information of companies such as trade secrets, financial details, employee details, company strategies, and the like are also stored on servers that are connected to the Internet. There is a threat that such confidential data may be accessed by malware, viruses, spyware, key loggers, and various other methods of unauthorized access, including using legitimate tools (e.g., a remote desktop and remote processes services) that have been compromised to access or to install malware software that will allow access such information. Such unauthorized access poses great danger to unwary computer users.
Recently, the frequency and complexity level of attacks has increased with respect to attacks performed against all organizations including, but not limited to, cloud providers, enterprise organizations, and network carriers. Some complex attacks, known as multi-vector attack campaigns, utilize different types of attack techniques and target network and application resources in order to identify at least one weakness that can be exploited to achieve the attack's goals, thereby compromising the entire security framework of the network.
Another type of complex attack is an advanced persistent threat (APT). An APT is an attack in which an unauthorized hacker gains access to a network and remains undetected for a long period of time. The intention of an APT attack is usually to steal data rather than to cause direct damage to the network or organization. APT attacks typically target organizations in sectors with high-value information, such as the national defense, manufacturing, retail, and financial industries.
These attacks are frequently successful because modern security solutions are not sufficiently agile and adaptive with respect to detection, investigation and mitigation of resources needed to meet such evolving threats. Current security solutions cannot easily and promptly adapt to detect and mitigate new attack behavior, or attacks that change their behavior in a significant manner. In addition, current security solutions cannot easily and promptly adapt to new network technologies and topologies implemented by the entities to be protected.
For example, in modern computing platforms, such virtualization and software-defined networks (SDN) face real challenges to security systems. Such platforms host an enormous number of tenants with virtual distributed and dynamic resources. Each tenant can be removed or created in minutes and can be transformed into a malicious resource, thereby attacking its own “neighbors,” tenants or remote network entities.
Specifically, currently available solutions suffer from drawbacks including lack of, for example, programmability capabilities, automatic mitigation, and collaboration. For example, a security defense system that is not programmable becomes ineffective in a matter of a few days or even a few hours because such security systems fail to resist or adapt to any new attack behavior in time.
Security solutions, and in particular solutions for APT attacks, do not provide reliable automatic mitigation capabilities. Typically, APT security solutions are not designed for both detection and automatic mitigation. In addition, system administrators do not trust currently available APT security solutions due to the high level of false positive alerts generated by such systems. As a result of such false positive alerts, system administrators must often manually perform mitigation actions rather than permit automatic mitigation, which usually prolongs the time to mitigate attacks.
Moreover, current security solutions do not share attack information and detection, investigation and mitigation solutions between different companies due to the risk of revealing confidential data of a protected entity. This lack of communication limits the ability to adapt one security system using information related to attack behavior detected by another system in another organization or same organization, which would permit the security systems to promptly react to new threats by allowing a security system that has been subject to a new threat, and successfully addressed the threat, to provide information about the security functions or applications that were used.
For a modern security expert to develop a solution, the expert should be skilled in a number of complex security techniques including, for example, control of computing resources, advanced analytics systems, and different types of security products with no standard control “language.” Additionally, such a security expert cannot realize a combination from security functions provided by different security systems and/or vendors. Typically, such functions are not programmable, and thus cannot be integrated with other functions. In addition, to define and create a new security function currently requires months of research and development. For evolving attacks and threats, these are not feasible solutions.
Existing solutions further face challenges when utilized by cyber security experts lacking knowledge of the particular manner in which an organization typically programs its cyber security applications. Specifically, experts may not be familiar with the idiosyncrasies of an entity's cyber security programs. As a result, modifying the behavior of existing cyber security systems requires that an outside expert either take significant time to gain familiarity with the existing cyber security applications used by the enterprise and/or rewrite new portions of the cyber security applications.
Further, existing solutions lack capability of easily managing security operations for complex cyber security systems. In particular, an enterprise network to be protected typically utilize a large number of networked devices, computers, servers, and other end-points, thereby increasing vulnerability to security threats. To protect such an enterprises different cyber security systems are typically utilized. As a result, the management, configuration and orchestrating the various systems in the organization is a complex task and typically requires months of programming work to accomplish. As a result current security systems configured to protect large scale enterprise networks are not easily adaptable to protect against ongoing security threats. For example, to change the mode of operation one resource or add a new resource to such security systems would require programming a new application. This means months of programming and deployment. Furthermore, currently there is no tool that displays all resources in the cyber security systems available for mitigating, investigating, or mitigating attacks or which available resources can be utilized to handle a specific threat. Therefore, the current security systems under-perform relatively to their full capabilities.
It would therefore be advantageous to provide a solution that would overcome the deficiencies of the prior art.