The primary task of enterprise security is to protect critical assets. These assets include mission critical business applications, customer data, intellectual property and databases residing on-premises or in the cloud. The security industry focuses on protecting these assets by preventing entry through endpoint devices and networks. However, end points are indefensible as they are exposed to many attack vectors such as social engineering, insider threats and malware. With ever increasing mobile workforce and dynamic workloads, the network perimeter also no longer exists. With ever increasing breaches, flaws in enterprise security are exposed on a more frequent basis.
The typical attack timeline on critical infrastructure consists of initial entry, undetected persistence and ultimate damage, with persistence being in a matter of minutes, hours, weeks, or months using sophisticated techniques. However, security solutions focus on two ends of the spectrum: either on entry prevention in hosts and networks, or on ex post facto forensics to identify the root cause. Such retroactive analysis often involves attempts to connect the dots across a plethora of individual weak signals coming from multiple silo sources with potential false positives. As a result, the critical phase during which attacks progress in the system and stealthily change their appearance and scope often remains undetected.
Traditional security solutions are unable to deterministically perform attack progression detection for multiple reasons. These solutions are unimodal, and rely either on artifact signatures (e.g., traditional anti-virus solutions) or simple rules to detect isolated behavioral indicators of compromise. The individual sensors used in these approaches are, by themselves, weak and prone to false positives. An individual alert is too weak a signal to deterministically infer that an attack sequence is in progress. Another reason is that, while an attacker leaves traces of malicious activity, the attack campaign is often spread over a large environment and an extended period of time. Further, the attacker often has the opportunity to remove evidence before a defender can make use of it. Today, security operations teams have to make sense out of a deluge of alerts from many individual sensors not related to each other. Typical incidence response to an alert is onion peeling, a process of drilling down and pivoting from one log to another. This form of connecting the dots looking for an execution trail from a large volume of information is beyond human capacity. Enhanced techniques for intercepting and responding to infrastructure-wide attacks are needed.