As the recent breaches at the Office of Personnel Management, the Internal Revenue Service, and more recently, the anti-virus firm BitDefender illustrate, attackers are more than ever focused on gaining unauthorized access to organizations in an attempt to steal sensitive corporate and customer information.
One tactic that malicious actors commonly employ is concealing malware within seemingly safe patches and updates. These exploits are dangerous to the extent that they can severely compromise an organization’s network without setting off any red flags, which in turn increases the gap in the time that elapses between a network compromise and the detection of said intrusion.
Indeed, the 2015 Verizon Data Breach Investigations Report reveals that the difference in time between compromise and detection has been increasing over the past decade, although 2014 reported a lower value than previous years.
Given the evolving threat landscape, it is more important than ever for security professionals to have the capability to protect their organizations’ networks against concealed threats. But how do they go about to do this?
The answer rests with detecting a threat based upon its malicious behaviors, such as ARP spoofing, anomalous permissions changes, and attempts at changing DNS servers or IP routing. These activities can be understood collectively as “Indicators of Compromise” (IoC).
As David Meltzer, Tripwire Chief Research Officer, explains in our recent webcast, “Hiding in Plain Sight: Protecting Against Bad Hashes,” more and more organizations are building threat intelligence programs that analyze IoC. Moreover, they’re employing solutions including TAXII, STIX and CybOX that facilitate the sharing of threat intelligence across and between organizations.
One shortcoming that remains, however, is that human analysts still need to consume any threat intelligence that is received and then decide what to do with it. Ideally, security professionals could automate that step in the process.
This is where active threat intelligence solutions such as Tripwire Enterprise come in. Via threat integrations with Palo Alto, Cisco, CheckPoint and other partners, Tripwire Enterprise has the ability receive manual and automated threat feeds as part of a number of different intelligence transport configurations, including TAXII servers and sandbox threat analytics.
Additionally, features that enable organizations to build detection rules and to scan for different hash types ensures maximum customization, which in turn provides for better up-to-date threat intelligence that can be used to record, quarantine, and delete suspicious files.
Security personnel need to be able to stay on top of what is coming into an organization’s network. For that purpose, they need threat intelligence solutions that actively and continuously scan corporate networks for indicators of compromise.
To learn more about how Tripwire Enterprise can protect your organization, please click here and here.
To view the entirety of Tripwire’s most recent webcast, please click here.
Title image courtesy of ShutterStock