One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8476507 |
| Date de publication | 2024-04-05 06:00:25 (vue: 2024-04-05 14:07:26) |
| Titre | Amélioration de la détection et de la réponse: plaider en matière de tromperies Improving Detection and Response: Making the Case for Deceptions |
| Texte | Let\'s face it, most enterprises find it incredibly difficult to detect and remove attackers once they\'ve taken over user credentials, exploited hosts or both. In the meantime, attackers are working on their next moves. That means data gets stolen and ransomware gets deployed all too often. And attackers have ample time to accomplish their goals. In July 2023, the reported median dwell time was eight days. That\'s the time between when an attacker accesses their victim\'s systems and when the attack is either detected or executed. Combine that data point with another one-that attackers take only 16 hours to reach Active Directory once they have landed-and the takeaway is that threats go undetected for an average of seven days. That\'s more than enough time for a minor security incident to turn into a major business-impacting breach. How can you find and stop attackers more quickly? The answer lies in your approach. Let\'s take a closer look at how security teams typically try to detect attackers. Then, we can better understand why deceptions can work better. What is the problem with current detection methods? Organizations and their security vendors have evolved when it comes to techniques for detecting active threats. In general, detection tools have focused on two approaches-finding files or network traffic that are “known-bad” and detecting suspicious or risky activity or behavior. Often called signature-based detection, finding “known-bad” is a broadly used tool in the detection toolbox. It includes finding known-bad files like malware, or detecting traffic from known-bad IPs or domains. It makes you think of the good old days of antivirus software running on endpoints, and about the different types of network monitoring or web filtering systems that are commonplace today. The advantage of this approach is that it\'s relatively inexpensive to build, buy, deploy and manage. The major disadvantage is that it isn\'t very effective against increasingly sophisticated threat actors who have an unending supply of techniques to get around them. Keeping up with what is known-bad-while important and helpful-is also a bit like a dog chasing its tail, given the infinite internet and the ingenuity of malicious actors. The rise of behavior-based detection About 20 years ago, behavioral-based detections emerged in response to the need for better detection. Without going into detail, these probabilistic or risk-based detection techniques found their way into endpoint and network-based security systems as well as SIEM, email, user and entity behavior analytics (UEBA), and other security systems. The upside of this approach is that it\'s much more nuanced. Plus, it can find malicious actors that signature-based systems miss. The downside is that, by definition, it can generate a lot of false positives and false negatives, depending on how it\'s tuned. Also, the high cost to build and operate behavior-based systems-considering the cost of data integration, collection, tuning, storage and computing-means that this approach is out of reach for many organizations. This discussion is not intended to discount the present and future benefits of newer analytic techniques such as artificial intelligence and machine learning. I believe that continued investments in behavior-based detections can pay off with the continued growth of security data, analytics and computing power. However, I also believe we should more seriously consider a third and less-tried technique for detection. Re-thinking detection Is it time to expand our view of detection techniques? That\'s the fundamental question. But multiple related questions are also essential: Should we be thinking differently about what\'s the best way to actively detect threats? Is there a higher-fidelity way to detect attackers that is cost-effective and easy to deploy and manage? Is there another less-tried approach for detecting threat actors-beyond signature-based and behavior-based methods-that can dra |
| Envoyé | Oui |
| Condensat | 1980s 2023 about accesses accomplish across active actively activities activity actor actors advantage adversaries advise against ago all also ample analytic analytics analyzing another answer antivirus applications applies approach approaches are aren around artificial attack attacker attackers attempt attempting attempts attractive authentic average avoid bad bad” baits baits based basically because been before behavior behavioral behind believe benefits best better between beyond bit book both bottom breach breaches breadcrumbs breadcrumbs broader broadly browsers build bumped business but buy called can case catch caught challenges changes chasing chats check chris clifford closer collecting collection combine come comes command commonplace comparing complex comprehensive computing concept concepts conflicting confusing consider considering content continued cost costly credentials cuckoo current data days dead deception deceptions deceptions deceptive decide decoy decoys defense definition definitions depending deploy deployed deployment deploys detail detect detected detecting detection detections detection detection differences different differently difficult directory disadvantage discount discussion distinguishing distributed documented dog domains don downside downtime dramatically drawn dwell easy effective effectively egg eight either elsewhere email emails emerged enabling end endpoint endpoints engaging enough enterprise enterprises entity essential: evolved example examples executed expand exploited face fake false fidelity files filtering find finding flag focused following: forewarned forms found from fundamental future general generally generate get gets gigaom given goal goals going good great growth hard has hasn have haystack head hear help helpful high higher histories homogeneity honeypots honeypots honeytokens honeytokens hosts hours how however idea identity impacting implement important improving incident include includes inconsistency increasingly incredibly inexpensive infinite ingenuity inside insights instead integration intelligence intended intent internet intrusions investigate investments invisible ips isn its july just keeping key known land landed late lays learn learning legitimate less let lies like line line login look looking lot lures lures machine major make makes making malicious malware manage many masses massive may maze mean means meant meantime median memory methods middle might mine minefield minor miss mixture monitoring more most move moves much multiple name namely need needle negatives network newer next not now nuanced off often old once one ones only operate organization organizations other out over part pay perhaps perspective plain plus point positives power presence present prevent probabilistic problem professional proofpoint provide published puts question questions quickly radar raised ransomware ray rdp reach real recent recently reconsider reduce reduces refer related relatively remove report reported research researcher resilient resources respond response response: resulting rise risk risks risky running scale scripts sculpting security seriously sessions seven should siem sight signature significantly signs silent simulated software some sometimes sophisticated specifically stack stepped stolen stoll stop storage strategic strategy stumble such sufficient supply support suspicious system systems tactics tail take takeaway taken teams technique techniques technological technology telltale term terms than that them then these they think thinking thinks third threat threats threats time today too tool toolbox tools traffic traps traps trends trick tried triggered trip tripwire tripwires try trying tuned tuning turn turns two type types typically ueba umbrella understand understanding undetected unending upside use used useful user users using varied various vendors very victim view vulnerabilities want way ways web well what whatever when which who why widely will without work working would wrote years yet your “deceptions |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.