Knowing your enemy

“Know your enemy,” says Sun Tzu in The Art of War. And in the current cyberwar the enemy are the bots, the Trojans, the worms and viruses, and all the other malware that seeks to breach our cyber defences. The clear implication is a need to monitor and understand these threats. But the threats are continuously evolving, changing and increasing, so that threat monitoring must also be continuous.

There are many ways this can be done: by signing up to the “alerts” RSS feeds almost always provided by the major systems and software providers; by monitoring the national computer emergency response teams, and in particular the one hosted by Carnegie Mellon University in the United States; or by subscribing to alert providers such as Secunia.

An alternative or additional approach is to monitor the blogs of leading security researchers such as David Harley (ESET), Luis Corrons (PandaLabs), Rik Ferguson (Trend Micro) and Graham Cluley (Sophos), all of whom provide insight and commentary on the current threat environment.

But the enemy isn’t just the threats, it is also the time needed to do all of this. Amanda Finch, general manager at the Institute of Information Security Professionals, suggests a risk management approach to ease the burden. Continuous threat management should depend on the business and the risks it faces. “For example,” she says, “in manufacturing this is probably not necessary or cost effective; but for utilities or banks, or high security situations, it may be.

Research shows that the vast majority of breaches depend upon the user doing something he or she should not

“With the sophistication of the cyber threat and the techniques, methods and tools available to attackers, the days of retrospectively checking incident and event logs is wholly inadequate for most business – certainly where monetary value, intellectual property or sensitive personal information is involved.”

Even this is too simplistic, though: the real enemies are the vulnerabilities that allow the malware into the system, and the user. Microsoft research shows that the vast majority of breaches depend upon the user doing something he or she should not and that a statistically insignificant number of breaches are caused by the feared zero-day threat. Further research shows that the bulk of detected threats appear after the vulnerability is patched by the vendor.

Stuart Aston, chief security adviser at Microsoft, takes up the story: “You have to start from a thorough understanding of the risk. If you understand your risk, it will help you understand how to monitor the threats. For example, a large percentage of breaches come from end users actively doing something they shouldn’t. Similarly, 99 per cent of breaches occur via patched vulnerabilities.

“It follows that improving your users’ security awareness together with religious patching will defend against the majority of security attacks. This, coupled with a good defence in depth, is the best way to not merely monitor threats, but to defeat them.”

In other words, it is an effective use of time to let the vendors and security researchers monitor and alleviate the threats, provided the company then acts on the findings, and patches its software.

Continuous threat monitoring, then, should be a combination of watching the industry, using risk-management techniques to concentrate on the most pertinent areas and, perhaps most importantly, keeping all systems and software fully upgraded and patched.