Endpoints, Gateways, and Networks: Teamwork Is Better Than Lone Rangers

In police work, multiple witnesses, pieces of evidence, and investigating officers are better than a lone detective and a smoking gun. They bring different perspectives to the problem, comparing and analyzing elements and pursuing leads until the crime is solved.

Unfortunately, cybersecurity today seems more like a bunch of individual crime fighters or private investigators. Beat cops are checking for malware at the endpoints. Security guards are checking the comings and goings at each entrance and exit. Detectives are interrogating suspicious characters in the sandbox. Secret agents are gathering intelligence on potential threats. Thankfully, society’s law enforcement officials don’t work in silos; they actively share facts and ideas. However, in the cyberworld, a lack of orchestration is unfortunately the norm.

We have seen the silo effects of policing in the real world, and these groups are trying harder to work together. They have the benefit of common goals, shared language, and evolving protocols on how and what to share. We need the same thing in cybersecurity.

For example, when a suspicious email arrives, the firewall security guard can see the source IP and MAC addresses, but the endpoint cop only sees it as coming from the safe harbor of the internal mail server. If the email has a known malicious link, the email gateway can block it, but it should also be equipped to share that info with other controls such as the Web gateway to protect anyone from following that link, should they get it from another source.

I am certain that security vendors have a common goal when it comes to protecting their customers from danger. What’s missing is a common language and protocols for how and what to share. Intel Security has a remedy for this in the form of a real-time security Data Exchange Layer. DXL is built to deliver an architecture with a common communications framework that can connect to existing and future systems from Intel Security and, most importantly, to other systems in the ecosystem. DXL can be centralized or decentralized, as appropriate to the individual security functions and the network structure.

How DXL Works

With DXL, the combined system of security technologies is equipped to continually share intelligence for optimal protection. In our email example, when suspicious or malicious activity is detected, awareness of which endpoints have clicked the malicious email links helps identify those impacted hosts. This information allows the environment to automatically quarantine those hosts and perform in-depth inspection to identify the relevant components of the infection and any further potential impact. With this understanding, the environment rapidly corrects the impacted infrastructure by performing such actions as killing malicious processes, cleaning registry entries, removing malicious files, and killing connectivity to command-and-control infrastructure. This process contains the initially visible aspects of the event. Next, analysts can leverage various indicators found in these exercises to look for other affected systems that could result from lateral movement and persistence.

To facilitate this analysis, the environment queries the historic analytics repository for any other event artifacts. Any findings can be scoped and remediated, preferably using policies and scripts. Finally, with these new learnings, the environment continuously hunts going forward, looking for variants or related impacts. Pertinent newly found intelligence is ultimately shared with the rest of the organizational controls via DXL. This form of automated intelligence sharing and active defense rarely exists in most organizations, yet most will agree it is necessary in today’s cyberfight.

As our industry has evolved, some security vendors have developed proprietary systems that connect their own parts together. However the challenge is that these systems may not have all of the components you need, or worse yet, they deliver a false sense of security with great reports and tons of information, yet very little actual integration into the security fabric of the organization for delivering an active defense framework. These barriers can no longer be permitted to stand if we are to combat modern attack complexity with the velocity and accuracy needed to win the battle.

In law enforcement, catching and stopping criminals does not happen effectively in isolation, by one individual, one precinct, or one organization. Instead, disparate law enforcement organizations and entities work closely together to effectively thwart the most advanced of criminal activities. In the world of cybersecurity, we must rapidly evolve from the bankrupt isolated approaches of the past if we are to deliver on the active defense measures that are necessary against today’s adversaries.