TENERIFE, Spain – Network defenders who rely solely on lists of assets to protect are running a fool’s errand.
Instead, it’s crucial to think in graphs to not only visualize threats, but also to understand network edges, and dependencies between assets and accounts in order to be able to capture attacker activities and render them useless.
John Lambert, general manager of Microsoft’s Threat Intelligence Center, said in today’s keynote address at the Kaspersky Lab Security Analyst Summit that while successful defenders may understand the basic security principles of confidentiality, integrity and availability, they’re interpreting each point on the triad in radically new ways.
“They’re discarding stuff that doesn’t work,” Lambert said. “And stuff they don’t have, they’re inventing it.”
Lambert recalled a time not so long ago when defenders were too protective of their intelligence. It was crucial to understand the assets in their environments, develop incident response plans, and view penetration test results as a report card on their internal security—an output. Intelligence was rarely shared; for example, analysts weren’t sent to security conferences for fear of “blabbing” threat indicators that might give away a competitive advantage.
Modern defenders cannot afford to think that way, Lambert said. One graph he demonstrated showed a graph of dependencies between network edges, accounts, permissions that spread across the screen like bacteria in a petri dish.
“Modern defenders, they have a graph of things to protect,” Lambert said. “They think about adversaries and their next move. They find trusted peers in the community, and understand the importance of learning from others and their practices. Pen-tests are diagnostics to successful defenders, not a report card. Pen-tests are input, with a goal of increasing attacker requirements.”
Lambert shared examples of changes Microsoft has made to core security and detection processes that have eventually made their way into patches and updates that have eliminated scores of zero-days.
“We are in a world where modern defenders are sharing about adversaries across geographies, industries and even within lines of competition,” Lambert said. “Threats are common thing we all face. There’s no magical information-sharing thing. It’s a trust-based thing. You have to get to know people, you’re not trading with a vendor, you’re sharing with a person. It’s not a transactional relationship. You want to give them indicators because you want them to find more out there and it will help you down the line.”
The goal should be not only to get attackers off your network and imprison hacker activity, but also to raise the cost of exploit development for attackers.
“You want to force adversaries to go back to development,” Lambert said, adding that cooperation, even among professional competitors, leads to important research being published, which could awaken others to lend a fresh set of eyes to the problem.
“The goal should be to remove all of us from a world of information siloes and not sharing, to a world where hacker activity is imprisoned and all their opsec mistakes are trapped and can’t be used anymore,” Lambert said. “Knowledge of intrusion sets grows and grows. This just serves to improve adversary coverage and helps everyone.”