How broken is security?

Categories: Trusted Identity

Last week Mandiant produced their report entitled ‘Mandiant APT1 report’ that was widely covered by global media and essentially exposed a ring in China allegedly responsible for APT attacks. To many, this in itself is startling news and there have been many stories pointing the finger at hackers in China.

However, on reading the report an interesting statistic about how long APT1 were in organizations stands out. We know from the 2012 Verizon Data Breach Report that breaches lead to compromise much faster than companies can discover them. Security tools are slow, lack visibility and are too often perimeter and signature-based to detect the presence of cyber activity. Here’s a quote from the report:

“APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.”

The challenge for all organizations is that they rely on obsolete technology or signature-based detection systems which are really not adequate for these types of attacks.

Disparate security tools are unable to identify and investigate advanced attacks in a timely manner and SIEM tools have either speed or smarts, but never both. Furthermore, large amounts of blind spots combined with a large window of risk from an attack allows attackers too much free time on the network. Organizations must have a target to reduce the ‘free time’ or ‘dwell time’ in an APT attack, early detection and remediation will minimize the damage. Proving compliance also costs too much and takes resources away from improving security against targeted attacks and we all know that being compliant doesn’t translate to being secure.

Until companies change the status quo and implement Intelligence-Driven security models we will continue to see compromises over long periods of time without companies even realizing they are hosting cybercriminals in their infrastructures. Final thought – Did the company that had APT1 in their network for 4 years and 10 months actually find the attack and stop it? Or did the attackers just get bored? My money is on the latter.

Rashmi Knowles

Rashmi is Chief Security Architect at RSA, The Security Division on EMC. In her role Rashmi is responsible for Technology and Compliance Solutions for the EMEA region. Her current responsibilities include working with customers in a Trusted Advisor role, Thought Leadership for emerging technologies and key spokesperson in the region for RSA’s Virtualisation and Cloud strategy and Compliance Solutions and a subject matter expert on Data Loss Prevention and Encryption Solutions. Rashmi has over twenty years experience in data communications, mobile communications and has focussed on Information Security for the last 15 years. Rashmi holds a degree in Computer Science from the De Montfort University and a Post Graduate in Computer Studies from the University of the South Bank, London. Subscribe to Rashmi's RSS feed