Threat actors are refining their methods and are executing malicious acts with greater efficiency and effectiveness. Monzy Merza, the Head of Security Research at Splunk, says that while what the bad guys are doing isn't substantially changing, the landscape they operate in is. With the increased pervasiveness of cloud and mobile apps, we're seeing increased malicious activity across a broader spectrum of surfaces. I asked Merza what we can do about this as well emerging threats such as cryptojacking.
"A few years ago, you would have a laptop or a desktop and that's what you used. Today, you have mobile apps. You have cloud services. You have these hybrid footprints. As a consequence, the threat landscape is changing. The adversary can now leverage that new terrain," he said.
So, as the techniques used by malicious parties are refined and the number of places they can attack increases, life gets harder for the defenders as that's where the complexity is.
Observe, Orient, Decide And Act
The reasons we monitor specific activities is changing as well. For example, while CPU monitoring might have been done in the past for capacity management it is now important as we use more cloud computing services. CPU usage has a direct relationship, that is easily visible on a balance sheet, with operating costs. So, the increased CPU use from malware has both data risk and financial loss implications.
Merza says something like cryptojacking can affect both on-prem and cloud platforms. But its visibility on cloud services is more noticeable as the costs of increased CPU usage are more easily seen. He also notes that while cryptojacking isn't a major attack vector, it is emerging and he hears more about it in the cloud context as the cost is easier to measure.
For IT and security managers, this increasingly diverse and complex computing environment throws up a number of challenges.
"It's hard to observe because there's lots of points of observation. Then how do you orient and know what to pay attention to. Then, there's a decision making process about what you decide to focus on that is of high value to you. And then, how do you act on it? This whole notion of how you observe, orient, decide and act becomes incredibly challenging and chaotic".
One of the things Merza asks practitioners is to describe how an email arrives at its destination. That means looking at all the different authentication services, storage, exchange and transport systems. In most organisations, answering those questions for one essential, and seemingly simple, service is extremely difficult, if not impossible. And with the explosion of complexity we've seen over recent years, it becomes easier to understand why threat actors have need able to launch so many successful attacks.
Security Maturity Models
The sequence of maturity Merza sees starts with organisations that are struggling with the basic hygiene of their environment. Many are unclear about what assets they actually have and struggle with patch and configuration management. That isn't just end-points but the entire security infrastructure.
"If you have a world-class security appliance and you are not updating its configuration, it's no longer a world-class security appliance anymore. This kinds of things sometimes get lost," he says.
Many organisations are still struggling to pay attention to their risks, says Merza. Many companies start with the data, such as firewall or DNS data and want to do something with it. But the people who are successful use the "flip approach".
"They say these are the risks I care about and then look at the use-cases and derive the data that serves the use-cases," he says.
It's about measuring what you need to measure rather than what's easy to measure.
The most mature companies, says Merza, use security as a business enabler.
"The say 'I really want my security teams to start shifting to becoming a business enabler'. They want to switch the language from protection to enablement," he says.
Businesses at this level have security embedded into their activities rather than have them bolted on.
Overcoming Insight Poverty
Alongside the increasing complexity of operational environments, many companies have increased the number of security tools they use. Different tools are best suited for each stage of Merza's observe, orient, decide and act model. He says Splunk's goal is make the best use of the existing security investments by bringing the data from those different tools together so insights can be derived to support better decision making and responses.
This is where the most mature companies are heading. As many analysts have said, we are data rich but insight poor. The key for businesses is to understand what their real risks are. In order to do that, they need to know what assets most need to be protected and then use the data they have to understand what they need to focus on and help target their actions most effectively.
Anthony Caruana interviewed Monzy Merza at Splunk.conf in Orlando, which he attended as a guest of Splunk.