10 May 2015

Article ‘Falling Off the End of the Cyber Kill Chain’, published by Anup Ghosh, Founder and CEO at Invincea, in the May edition of The Cyber Intelligencer is worth to read and comment.

For years now detection is praised from all cyber defense experts and system vendors as the spearhead in the defense of cyber-attacks. Gartner Security Analyst Neil MacDonald’s puts it succinctly in his tweet: ‘Prevent you may, Detect you must!’

Just set up a SIEM system and record any events from any server, database, firewall, application server, network, etc. With big data methods your data scientist will find every small hint to a cyber-attack from this universe of data, in the best case only some minutes after the attack happened, in the worst case some month later or never. In the meantime the cyber attackers will quietly copy your intellectual property.

A mere detection strategy in the defense of cyber-attacks is doomed to failure, just like a mere prevention strategy.

Just a short example. Let us assume that your Windows 2012 member servers are well protected, with the latest security features configured and the latest patches installed. One of your administrators becomes a victim of a phishing attack. An attacker steals the password for the administrator account of one of your member servers and signs in to the system. He debugs the LSASS process to get access to the password hashes or the plain text password or runs a DLL injection attack against the LSASS process.

Both events are recorded in the event log of the member server. Both events are hints to cyber-attacks and must be directly investigated. But it is very likely that these events are never investigated because no one checks the logs in time.

But if your SIEM system regularly collects the critical events from your member servers the attacks are detected within minutes and proper measures can be taken.

In my opinion a successful defense strategy requires a finely balanced mixture of both detection and prevention. SIEM comes into play when all other protection measures have failed. It should be neither the first nor the sole line of defense.

Take care!