In a recent Ponemon Institute study most of the organisations surveyed reported an average of almost two successful security breaches in the past two years. And according to a Verizon report, 81% of the breaches its respondents saw utilised some form of hacking and, most worryingly, 85% of them took weeks or more to discover. In that time a hacker could take an awful lot of intellectual property from an organisation’s data centre.
The problem is existing security products address only part of the security challenge. New threat types leveraging web applications require additional defences because the ones typically deployed are ineffective. Reputation feeds, for example, rely on IP addresses, but we know that more than one person could be using an IP address. Signature-based solutions throw too many false positives to be useful in many cases. Blocking legitimate customers is not a good idea.
So what can be done? Security has to become more innovative, intelligent and dynamic.
The first is a method of ‘fingerprinting’ hackers, as they make their first attack on the network. Using intruder deception software we can use tar traps to identify individuals trying to take malicious action and take them on a wild goose chase, delivering false fronts to them that have nothing to do with the operational web site. As a result of doing this we can create a profile of the attacker device, by giving them a name, rating their threat level and creating a unique fingerprint of the attacker’s device using over 200 attributes.
Armed with this profile we are now in a position to block the attacker device wherever they might try to enter the corporate network. The profile of a new attacker can be added to the existing databases on perimeter security devices globally, in real-time. For example, if an organisation detects an attack on its data centre in Sydney, Australia, the London data centre can be notified and the perimeter defences (i.e. intrusion deception points and firewalls) updated. As a result, threats can be mitigated rapidly and there is no chance of false positives.
The above two capabilities are powerful in themselves. But imagine how much more powerful they would be if companies and other organisations around the world shared the profiles of attackers. Organisations can share definitive intelligence about threats and individual devices. In addition, organisations can share threat intelligence and provide even more advanced, real-time security.
By providing more innovative, intelligent and dynamic security solutions, we can put attackers firmly in the spotlight, which is exactly where they don’t want to be.