I’ve seen a lot of talk regarding an information security posture referred to as Active Defense. It’s becoming more popular across the industry. The phrase seems to be popping up everywhere I look.
At first, I barely noticed it. After a while, I couldn't ignore it. I found myself asking the question: what is an active defense posture? The best answer to that question, at least on the surface, comes from the United States Department of Defense:
“The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.”
How does that apply to Information Security?
Let's break down the above definition first. We’ll start with the middle part and by defining what the "contested area" or "position" is.
Simply put, the contested area or position is what you’re protecting.
It could be your end-points (laptops, desktops, cell phones, server, etc.), basically any internet-connected device on your network that holds or has access to valuable information pertinent to your business or enterprise.
The endpoint is the “position” or “contested area” that needs defending, not necessarily because of what it might be worth physically but for what it contains. Its value lies in the data stored on its hard-drive or its ability to access valuable information stored elsewhere.
The "enemy" is the individual who is trying to compromise your environment. We will rarely ever know WHO that enemy is behind closed doors, but we’ve learned enough over the years regarding how they operate, what tools they use, what distribution channels they leverage to identify a perpetrator by behavior.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
- Sun Tzu, The Art of War
Sun Tzu's 100% correct. By knowing your enemy, you’re better able to protect yourself. However, what about the final part? The counterattacks and limited offensive measures. This is where things get tricky.
In some circles an active defense is made up of three critical points:
- Pre-Emptive Attacks
- Active Deception
There are possible legal ramifications for the first two items on the list. Security7 Networks does not recommend you attempt anything illegal. Two wrongs do not make a right.
We also think the active deception part of the equation should become secondary to what we're recommending. Instead of what's listed above we believe the best place to start building an active defense security posture is through the implementation of preventive, pro-active security measures that evolve via a form of automated threat hunting and elimination.
That automated process is achievable through the implementation of a Security Operations and Analytics Platform Architecture aka SOAPA. To help you understand how SOAPA can help you achieve an active defense security posture, let's look at the definition of Threat Hunting and how you should go about successfully hunting for threats.
What is Threat Hunting?
Threat hunting is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.
You’ve probably already done a lot to secure your digital assets already, but now it’s time to start thinking a little differently.
How to Hunt Threats Sucessfully
There are four critical steps to remember when hunting:
- Expose and Uncover
- Analysis and Remediation
Now for some exposition:
Hypothesis First - The first step in threat hunting is the hypothesis. If you’re going to start hunting a threat, you should treat the endeavor like a scientific experiment. “If I do A then I expect B to happen.”
Even with little to no evidence your supposition alone should be enough to get you involved in a hunt. You know your systems better than almost anybody and if you feel like there’s something amiss there probably is.
A reasonable hypothesis isn’t always easy to develop, but if you’re able to put something of value together, you’ll have solid footing when it comes to starting your investigation.
Investigate Second - You’ve established your hypothesis, now it’s time to dig through the data. You didn’t start hunting on a whim. You noticed something or realized things were off. Because you’ve “hopefully” got a strong hypothesis, you already know where to start.
As a heads up, a proper investigation can be incredibly time consuming BUT worthwhile in the end. Just be ready to pivot quickly from data set to data set. The rabbit hole can go pretty far down, and you need to be prepared to consume large amounts of data.
Employing things like dashboards that can be set up to include and process multiple data streams in one place automatically can be incredibly helpful. (We’ll be talking more about dashboards and what we do with them for our clients soon).
Expose and Uncover Third - When trying to expose trends or start looking for patterns, visualization can be helpful. Being able to visualize your data helps you successfully prove or disprove your hypothesis.
If you can visualize your data, it’s going to make it so much easier to expose the threat you’ve been hunting. Uncovering a threat can take a lot of time and effort, but in the end, it’s worth it.
Analysis and Remediation Fourth - Once you’ve investigated your data and exposed any threats, it’s time to analyze those threats, close the holes and access points that allowed the threat in and to remediate any damage they might have caused to your system.
The problem with Threat Hunting is how time-consuming it can be. Even with a fully staffed SOC you're bound to miss something. Humans are not infallible.
This is where SOAPA comes in.
We didn't coin the term SOAPA. Jon Oltsik, a principal analyst at Enterprise Strategy Group, did. He wrote an excellent article on the subject, and we highly recommend you check it out.
If you're not interested in checking out Jon's article, we'll summarize SOAPA as such:
SOAPA is a relatively new security solution philosophy that allows an InfoSec team to leverage multiple technologies and unite them as one pseudo-platform. By bringing together security data from multiple sources, SOAPA users can analyze, manage, and report on actionable items unlike ever before.
You might be saying to yourself "hey, that sounds an awful lot like a SIEM and I've already got that." You wouldn't be wrong to make that sort of comparison.
However, SIEM and SOAPA differ in three fundamental ways. Traditional SIEMs focus on a Collection > Detection > Respond model whereas SOAPA (at least our solution) focuses on an intelligent Respond > Detect > Collect model.
Let's compare the two.
Primarily a traditional SIEM works like this:
Step 1. Collection:
Traditional SIEM encourages you to collect as much data as possible. It focuses only on a subset of "potential" data sources. The traditional SIEM
does not offer visibility across the entire Enterprise.
Step 2. Detection:
Traditional SIEM uses static correlation models. Offers little chance of success when detecting complex threat scenarios. The traditional SIEM generates a high volume of false positives, resulting in "Alert Fatigue."
Step 3. Response:
Automation typically doesn't exist. Investigation and Remediation become manual efforts and can be very time-consuming for your SecOps team.
That means if you're implementing a SIEM you still actively have to hunt for threats to your environment. SOAPA flips that model on its head and begins to automate the threat hunting process for you.
How SOAPA Works:
As stated above, a SOAPA solution (in this case our SOAPA solution) uses a Response > Detection > Collection model.
Step 1. Response:
SOAPA focuses on end-points first to prevent the unwanted & automates the response process. SOAPA blocks the known bad before it even reaches you.
Step 2. Detection:
SOAPA is designed to detect complex threat scenarios & offers full attack life-cycle detection. SOAPA uses a combination of static correlation, anomaly detection & threat intelligence to create actionable alerts.
Step 3. Collection:
SOAPA focuses on data collection from meaningful logs and high-value assets while providing a holistic view of your security posture.
That means a SOAPA solution proactively threat hunts for you. It uses what it already knows about bad actors and existing attack methods to proactively defend you. It's a continually evolving and updating active defense solution.
The beauty about SOAPA is it's modular. Parts are interchangeable, and you're not locked in with a single solution that you hope gets the job done like you are with SIEM and other traditional security products.