Seeing the Forest for the Trees: How do you define “security threat”?

One of the hardest, but easily one of the most important, things in the security world is staying on top of those nebulous, ever-evolving “security threats”. But what constitutes a “threat”? We’re only just now wrapping up February, but here are some notes from the security world that have been taken this month:

• Symantec has identified 35 new “threats” and has released advisories for 49 vulnerabilities in Microsoft products alone.
• Proofpoint’s Emerging Threats Ruleset (which includes coverage for malware activity but also active phishing campaigns) has had 56 new rules in the “open” ruleset, and a whopping 104 new rules in the “pro” ruleset (in addition to the 56 in the open ruleset).
• 535 CVE’s (Common Vulnerabilities & Exposures) have been assigned.
• 94 commits have been made to the Metasploit framework project on GitHub.
• Cisco has released TWO critical patches to the ASA software to correct remotely exploitable denial-of-service vulnerabilities.
• A tool was released that can capture SSH and SUDO passwords out of memory on Linux machines.

Obviously, there’s no way one person can stay up-to-date on every signature from every A/V vendor, every CVE for every product, every commit to a popular security tool… So, time to raise the white flag and join the red team, right? Not so fast.

The evolution of terms based off security maturity

One of the most important things we’ve observed as a Managed Security Provider is how the definition of “security threat” evolves as a company moves up the security maturity scale. While some companies may view the IOCs (indicators of compromise) in a US-CERT security bulletin as a “drop everything and investigate” scenario, others are more keen to realize that these – like any other threat intel – are things to be used as context while monitoring for other, more accurate, behaviors (and that means they avoid false positives on IP’s for mail.yahoo.com, am I right?).

Similarly, some companies view the recent plague of JavaScript-based crypto-currency miners (such as “CoinMiner” and the like) as a noteworthy event with company-wide impact. Others recognize that this type of “low hanging fruit” is why they pay for host-level A/V, even if they have 25,000 (or more!) endpoints that need licenses.

So what is the right definition of “security threat”?

Unfortunately, there is no right answer.

For a company with 10,000 Windows machines and a cluster of Cisco ASA’s running their remote access solution, the list above for things happening so far in February could be cause for serious alarm. For a company with 50 MacBooks, 100+ Linux servers, and a Check Point firewall for remote access, not much stands out above as a real “threat”.

The truth of the matter is that it’s important for any company (and also, if they happen to have one, for their Managed SOC) to understand what is relevant to a company and what isn’t. Take CoinMiner – if you’re a company with comprehensively-deployed A/V, do you need to stay aware of every signature your A/V company releases? Of course not. That’s what you pay THEM for. If you’re a 10-person small business who forgot to renew the A/V that came with those computers you bought from $BigBoxStore, maybe you need to be concerned (but you should be concerned about more than CoinMiner).

Time to get to know your environment and take control

We have the best success in implementing a security monitoring program for our customers when they have a good handle on 3 aspects of their environment:

1. What are all of our assets, and which ones are critical?
2. What is the most attractive target for someone attacking us? (Our brand? Customer data?)
3. What do we do well security-wise, and where are our gaps?

Based on these 3 things, it’s easy to identify what current events our customers should address with log-based monitoring (or IDS-based monitoring, as the case may be), and what things they already have tools or controls in place to address.

Security isn’t an end goal, it’s a process and a practice

Security isn’t a product or an end goal, it’s a lifestyle… a “practice”, if you will. And as a security practitioner, your success depends on using your time, energy, and resources (all of which you have in limited supply) as efficiently and effectively as possible. Knowing your environment and understanding what is truly a threat to you is the closest thing you’ll ever find to real silver bullet in security.