Intelligence to Stay Ahead

The threat landscape continues to increase in sophistication. With a simple tweak, attackers can create a new malware variant to use to infect thousands of machines. It’s also easier now than ever to launch an attack. There are more tools available, from droppers to exploit kits to cybercrime-as-a-service, creating an environment where anyone can purchase malware and engage in cybercrime. Technical sophistication is no longer a requirement.

With the constant influx of new malware and low barriers to engaging in cybercrime, getting ahead of attacks may sound like an impossible task. How can an organization possibly keep up when inundated with new malware? How can an organization stop threats when new tools make it easier than ever before to engage in cybercrime?

It’s all about the intelligence.

A lot of security tools leverage commoditized threat intelligence. However, by deploying security tools that leverage evolving intelligence, organizations are able to stay ahead of attacks. How is this possible with new malware variants popping up all the time? As mentioned earlier, attackers make a simple tweak to create a new, effective piece of malware. However, they reuse a lot of their infrastructure in attacks. The fingerprints they leave behind help security researchers uncover what they are going to do next. Security research teams that actively leverage a rich combination of historical and real-time intelligence are able to see more, predict earlier, and protect effectively.

For example, an email might come through with a malicious attachment. The email is completely new, as is the malware in the malicious attachment. However, the domain that the malicious attachment redirects to might have been purchased using the same email address from a previous attack. The attacker might also leverage existing web servers. All of this information leaves fingerprints that can be used by security researchers to predict the next attack, helping organizations stay ahead of emerging threats. By identifying these patterns, building them into statistical models, and enforcing through a security product, users are protected from emerging threats.

Here at Cisco Umbrella, we have been using assisted and machine learning for five years in order to stay ahead of attackers. When considering the critical components of a truly predictive security service, there are three key pillars: data, security researchers, and statistical and machine learning models. When thinking about data, not all data is created equal. We have a large and diverse volume of threat data that our security researchers analyze. They then apply advanced techniques such as data mining and 3D visualization to identify patterns.

The security researchers are constantly finding new ways to uncover fingerprints that attackers leave behind. They build statistical and machine learning models that provide better threat detection and classification for Cisco Umbrella for MSPs.

Part of the benefit of having extensive intelligence is the ability to create policy that adheres to security risk profiles. With deeper intelligence, more information can be classified in a discrete way. For example, Cisco Umbrella has different security categories that clients can block or monitor depending on their risk appetite. Newly Seen Domains is a security category that identifies domains that have been queried for the first time within the previous few days. When a domain is first seen being queried by any user of Cisco Umbrella, we notice that; shortly thereafter, the domain is tagged as “newly seen” for all other users going to it for the next few days. This functionality helps expose domains that are part of newly emerging threats.

Having extensive intelligence and using garnered insights to enforce and protect is the key to staying ahead of attackers. It is important to look at the type of intelligence in terms of diversity, volume, and uniqueness, as well as how it is analyzed and applied.

Headed to Navigate 2017? Visit us at booth #18 on Oct. 2-5 to learn what you need to know in order to stay ahead of attacks.

Guest blogs such as this one are published monthly and are part of MSPmentor’s annual platinum sponsorship.