Threat Detection Benchmark Part 1: Uncovering Threat Vectors

Feb 11, 2016 | by RSA

When it comes to securing modern IT environments, your strategy hinges on your ability to detect threats. Unfortunately, organizations often rely on only a few sources of threat detection data to provide a foundation for their security strategy, which leads to inadequate visibility and, in turn, greater risk. In Part 1 of this threat detection benchmark series, you will learn how improving your visibility can lay a solid foundation for your organization's security strategy.

The Importance of Comprehensive Visibility

Visibility underpins organization's ability to account for and detect prevalent threat vectors. This doesn't mean simply relying on endpoint- and network-level agents to build a threat detection solution. Rather, it implies the use of multiple, coordinated data sources that cover all your environment's prevalent threat vectors.

Put succinctly, a threat vector is any path a threat actor might use to gain access to valuable assets. If that sounds somewhat vague, it's due to the dynamic nature of today's attacks. Threat vectors have evolved at a rapid pace, and new tactics are discovered regularly. For this reason, maintaining high visibility of all potential paths to important resources is the foundation for effective detection.

A Simple Game of Numbers

When it comes to creating an environment with comprehensive visibility, the first point of emphasis is quantity of sources. This idea is very similar to the way physical security works. With more security cameras and guards, you'll have higher visibility. Likewise, you will be able to better detect potential threats as you start to add more sources of data for threat monitoring.

When asked what constitutes a good source of threat detection data, many IT professionals would likely list traditional desktop security agents. This view of the world is very malware-centric, and assumes that endpoint anti-malware solutions are effective. In today's advanced threat world, where many attacks don't use malware, or malware can easily evade static detection rules or signatures, this is not a reliable assumption. While these tools can provide some limited insight into threat activity, alone they are incapable of generating the environment-wide view that is required. Quality sources include, but are not limited to, network data, including network packets and flow data, more detailed endpoint data, and system-level log monitoring across the infrastructure. The general rule of thumb is the more sources, the more robust your visibility will be. These sources should cover a diverse range of threat vectors that pertain to your organization's environment.

The sources of visibility we have described so far focus on infrastructure. But it is also important to gain visbility into identities and user behavior. A recent article in The Wall Street Journal, highlights the growing issue of internal threats. By tightly integrating identity data with other data sources, organizations are able to achieve higher visibility on potential internal threat vectors. This is a great example of a quality source-it shows how taking a holistic approach to diversifying your sources of threat data can help your organization reach a higher threat detection benchmark.

An effective security strategy is only as good as the foundation upon which it is built. With a multitude of quality data sources, you'll establish a sound foundation, and you'll have the ability to better understand activity across your environment.

Author: RSA

Category: RSA Fundamentals, Blog Post

Keywords: Security Benchmark, Threat Detection, Threat Detection Benchmark, Visibility