Security In Retrospect
By Cat Yong
For the last 4 months, Chinese hackers waged a silent onslaught upon The New York Times, successfully infiltrating it, and stealing passwords of its reporters and staff.
And while Sourcefire does not have any direct involvement in the NYT hacking incident, its founder and interim CEO, Martin Roesch stepped forward to voice how retrospective security could have mitigated the attacks.
“This incident is the latest example of how attackers and their tools have advanced to evade traditional defenses. The reality is that it’s no longer a matter of if attackers get in, but when,” said Roesch.
“Point-in-time security that only has one shot to determine if a file is malware does not work by itself. A new model that also collects telemetry for continual analysis of what is happening in your environment is needed. This analysis can be used to determine scope, contain and ultimately remediate the malware automatically. This is what is called retrospective security.”
After tracking the intruders to study their movements and help erect better defenses, NYT and computer security experts have been able to expel the attackers and keep them out. The Times is also currently working to make sure they have full grasp as to the extent of their access so that next time they try to come in, response can be faster.
It is understood that what The Times had to do was block the compromised outside computers, remove every back door into its network, change every employee password and wrap additional security around its systems. It seems easier said than done, and for sure it won’t be all that NYT has to do, as Times execs say they anticipate more hacking efforts.
Graham Welch, managing director for Sourcefire in EMEA said in his blog that we live in an era of industrialised hacking where script kiddies are now members of criminal gangs that stand to make huge amounts of money from their shady activities.
“We’re talking about a huge business often involving R&D, distribution, sales and even customer support to make money out of the unsuspecting or unwary business or computer user.
“This means that we now need to look at security in a different way. It’s no longer a question of if you’ll get hit or even a question of when you will get hit; increasingly it’s a question of how often you will get hit. Many businesses today count the number of attacks they face in the tens of thousands every week or month. Many of the attacks were not even sophisticated – the most recent Verizon data breach report suggests 96 percent of attacks were ‘not highly difficult.'”
Welch goes on to say what is more important today is how quickly you are aware you have a problem, than being able to measure how serious that problem is; and how quickly you are able to stop it spreading and keep the damage contained.
“There are no silver bullets and security is no longer simply a question of building up the walls around your business, you need to have threat visibility across your entire enterprise and deal directly with the issue quickly and efficiently.”
Sourcefire believes that the way to do this is to deploy a solution that executes on the entire lifecycle of the threat, and not only when it is detected for the first time.