Attack vs. Compromise: Understand What You're Watching
The difference between IoC and IoA is the difference between cleaning up after a burglary and heading off a thief before he gets in the door.
July 23, 2018
By Rick Costanzo
“Do a few things and do them well.” It’s a mantra we hear often in business. But with the managed services market expected to grow at a healthy CAGR of 11 percent though 2022, according to Market Research Future, it’s clear that MSPs are taking this advice to heart as a way to focus on core competencies.
One of the main growth drivers for MSPs is the demand for managed security services; that’s growing nearly 50 percent faster than the overall market. In fact, demand for MSSP service is expected to reach $45 billion by 2022.
MSSPs promise to help defend against the staggering number of cyberthreats aimed at enterprises of all sizes. Some stats: More than 230,000 new malware samples are launched every day. The average SMB experiences a cyberattack 44 times every day. And the cost of damage directly related to cybercrime is adding up, expected to reach $6 trillion by 2021.
One area new MSSPs sometimes overlook is that it’s important to understand what you’re monitoring in order to understand how effective your systems will be in detecting and preventing the next attack. Indicators of cyberevents can be categorized into two broad groups: indicators of compromise (IoCs) and indicators of attack (IoAs). Each provides a security analyst different types of information that can be used for cybersecurity response, but only IoAs are poised to aid with prevention.
Indicators of compromise are identified by pieces of forensic data found buried deep in log files. Traditionally, identifying IoCs has required extensive detective work and knowledge of the network to identify an attack that has already happened. Examples of IoCs include malware, exploits, file names, IP addresses and other vulnerabilities in the network. An IoC is equivalent to your neighbor determining that someone broke into his house by noticing that the TV is gone from the living room — it’s a good confirmation something has happened, but not helpful in preventing the robbery.
The tools, techniques and procedures associated with modern cyberattacks give rise to a new set of indicators of attack that can be more helpful in preventing successful breaches.
Indicators of attack are represented by a series of actions that an attacker might conduct to launch a cyberattack on a network. Attackers might use unrecognizable IP addresses, scan networks at unpredictable times, log in from a region where no employees reside or try to get in using multiple and perhaps outdated user IDs. IoAs are proactive indicators, representing the actions of the attacker before or during a breach attempt.
Thinking back to the burglary at your neighbor’s house, the thieves likely took certain actions before attempting the heist. They would have driven by the property a few times to understand when people are home; they likely looked for signs of a guard dog; they would have scouted out security measures, like signs indicating alarm systems or motion-detector-activated lights. Only once they’ve planned their attack would they make an attempt. If we can understand and detect patterns leading up to an attack, we can anticipate and therefore stop a break-in before it happens.
The same can be said for building enterprise-security resilience. Monitoring for IoAs allows a security analyst to hunt threats in real-time and take corrective action against attacks as they happen.
When evaluating security systems, MSSPs must understand if they have the ability to monitor IoAs in addition to the more traditional IoCs. Here are some of the capabilities that will enable you to build a stronger enterprise-security posture:
Real-time threat hunting. Each new cyberattack is more sophisticated than the last, leaving traditional security measures unable to spot the next threat. MSPs need the ability to view attacks as they unfold by enriching data collected from across the business with contextual and behavioral insights.
Active learning. Tools need to become smarter and more efficient over time. Active learning allows MSPs to record feedback and apply that action to similar alerts, helping to increase threat-hunting accuracy and reduce the number of false positives.
Enterprise scale. More than 20 billion connected things are expected to be in use by 2020. More devices connected to customers’ networks makes scalability a critical consideration for MSSPs.
Contextualization. AI, machine learning and behavioral analytics will help make data more consumable and help MSPs understand risk thresholds based on context and assemble and interpret the signals needed to hunt and assess threats faster and with high precision.
Flexibility. Tools need to be installed quickly into existing customer environments. Look for in the cloud, on-premises and hybrid options.
Rick Costanzo is CEO of Rank Software, a provider of cybersecurity solutions that uses machine learning to find the anomalies among the billion-plus security events some companies receive each day.
You May Also Like