Through the Haze: Agile Defence for a Fast-Moving Environment

As the scale and complexity of corporate networks continue to increase, it has become ever more difficult to cut through the web of connections and relationships that make up an organisation’s information systems, to focus on what really matters. For a cyber security analyst, this means defending against advanced persistent threat from outside the network, and insider attacks from within it.

Agile defence keeps ahead of threat

The legacy IT approach to security is all out of answers. High-profile attacks to governments and businesses give way to the same kneejerk reactions: more scans, more firewalls, and more rules. Meanwhile, the gap between aggressor and defender continues to grow, as defenders struggle to keep up with ever more agile and sophisticated attackers.

Agility is one of the great advantages and necessities of today’s business environment. Our everyday business functions depend on the speedy flow of information across the globe, and the ability to interact with it flexibly.

Threat actors have taken full advantage of the mobile nature of today’s business and its agile infrastructures to play foul. But the defence team has not followed their lead, and is more likely to be found at the periphery of the action, keeping detailed records of information gathered at ingress and egress points. In doing so, they miss the attackers wearing the same team colours, disguised as fellow defenders, and their backs remain turned on the activity of their own team. Their outward focus misses the mark, as it fails to take account of possible attacks from within.

Detecting anomalies to stop sophisticated attackers

Trying to follow every piece of data as it flows back and forth between various locations on a network is an inefficient way of trying to solve the cyber security challenge. In the haze and complexity of a modern corporate network, spotting anomalies is difficult, but it is possible.

To work out what constitutes an anomaly, you also need an accurate picture of what ‘normal’ looks like for your organisation. Establishing a baseline of normal behaviour is challenging: normal models vary from business to business and employee to employee. A marketing executive will have a very different pattern of life to that of a software developer, and their habits mutate over time, changing to fit varying contexts and situations.

The human nature of sophisticated threats from within and without calls for an equally sophisticated response, which does not depend on predefined rules of what threat looks like. An intelligence-led approach to cyber security, anchored in self-learning behavioural analysis, is able to detect sophisticated threat from external and internal actors.  Tomorrow’s defence strategies, powered by today’s technological advances, will look ahead to observe and prevent threats as they emerge in real time.

A good defensive player does not stand in one place, expecting the attacker to use the same strategy as in the last match. He is agile and dynamic, adjusting his tactics to each new move the adversary makes or is likely to make. It is time we abandoned the illusion that safety is just a software update away, and faced the ongoing challenge of mitigating threats intelligently, taking account of the human factor behind every attack.

See Darktrace exhibiting at Whitehall Media’s Enterprise Security & Risk Management 2014. 25th March – Hotel Russell, London.

Authored by Darktrace, the world leader in Behavioural Cyber Defence technology.