WASHINGTON, D.C.—Pretty much everyone has heard about the massive data breach that hit retail giant Target at the end of 2013, and there have been any number of people (including me) who have discussed ways in which the problem could have been avoided.
What no one realized at the time is that Target’s intrusion detection system actually caught the breach when it was happening, but no one realized it.
Before anyone goes and starts shaming Target, let me also add that there’s a big gap between detecting a threat and realizing that it’s a problem. Unfortunately, most intrusion detection systems produce so much in the way of information that it’s nearly impossible to decide which of the many thousands of potential security events are an actual threat and which are not.
What hasn’t existed is a good way of filtering all of the results from an intrusion detection system so that someone can find the ones that actually matter. Worse, of the threats that are actually serious, it’s even harder to find the ones that matter in the context where they exist.
For example, if you happen to run across the code for a serious worm on a computer, it’s a potential threat, but if the worm is designed to infect a Windows computer and it’s been downloaded to a Mac, the threat is significantly diminished, since it won’t execute there. But it’s still a potential threat since it could at least theoretically be passed along to a Windows machine through an infected email.
To determine whether a threat is relevant, all you have to do is analyze the threat, identify its intended target and then analyze your systems and see if that threat will actually affect you. Easy, right? Well, not exactly. What you really need is some kind of automated assistance, but until lately it hasn’t existed.
I realized that this had changed when I visited the Gartner Security and Risk Management Summit here and ran across Cyphort, a company that produces an appliance-based threat management product that does more than just flag suspected malware. The Cyphort Advanced Threat Defense Platform is designed to analyze threats and determine whether they can impact your enterprise, and if they do, whether they are threatening a critical function.
The Cyphort platform works with other security hardware from Palo Alto Networks and Bluecoat, and it’s able to sort out the threats that can affect your network infrastructure and those that won’t. In addition, the platform will use information you provide to determine just how much of a threat some types of malware might be.
Threat Detection Systems Must Ferret Out the Most Sinister Intrusions
Had Target been using this product last year (sadly for Target, the new version 3.0 isn’t shipping until August) the company’s IT department would have at least had a better chance of discovering that the malware that took all of those account numbers from its POS network was a serious threat, assuming that the threat detection system had been told that the POS network was a critical part of the infrastructure.
The knowledge of the network is an important part of the Cyphort platform’s configuration. When the platform is implemented, the customer has to rank what parts of the infrastructure are critical to the needs of the company and which are not. In Target’s case, the POS network was critical. But not every company has one of those, which is why it’s necessary to tell the platform what are the critical parts of the infrastructure.
The Cyphort platform can also tell whether network objects need to be managed directly for threats or not. For example, a malware penetration of a computer that already has security software installed that is capable of killing the malware is a less urgent problem than malware that’s aimed at a computer without such defenses.
This means the IT or CISO will know to dispatch a mitigation team to an unprotected computer where the malware attacked. But for the computer with appropriate malware protection, all they would need to do is to simply confirm that the protected computer actually handled its threat.
What I liked about the approach to Cyphort’s platform is that it does two critical things that help the security team function more effectively. First, it filters out all of those thousands of discrete alerts so you see the threats that actually matter. Second, it prioritizes the threats so you know which need immediate action, which can wait until the most serious threats have been dealt with, and those that only need to be monitored because they aren’t immediate threats.
In addition, the Cyphort platform is able to tell the difference between what the company calls “data stealing Trojans” and adware, which may be annoying, but isn’t otherwise particularly serious. The platform can also let gear from Palo Alto Networks and Bluecoat know what to block to help reduce the persistence of the threat.
There are a lot of security systems out there and many of them are both effective and useful. Unfortunately, without some means of discriminating what you need to worry about immediately and what you don’t, these systems aren’t as much help as they might be. Being able to prioritize where to look first for the most serious threats can only help.