Attacks keep coming, and the number of data breach stories we read in the media shows how often they are successful. We have to assume that any organisation of a reasonable size has monitoring and defence systems, in place so what’s going wrong?
Of course, organisations invariably claim that the attack was ‘sophisticated’, even an advanced persistent threat (APT). We rarely get the details, but when we do, the initial attack vector often turns out to be something simple, like phishing. What this means is that breaches will continue to happen – so maybe our focus should shift to how we detect intrusions once the attackers have got in.
As Mark Kedgley, CTO of New Net Technologies, explains in this interview, there’s no such thing as 100% security – if you want to connect with the rest of the world, you open yourself to attack. You need to spot malicious activity on your networks when it happens – as soon as it happens.
File Integrity Monitoring (FIM), which registers changes to files, is one way of going about it. But it can lead to a lot of false positives when regular or frequent legitimate changes – such as patching – take place. This can easily lead to alert fatigue. So we need to be smarter about what kinds of alerts are generated, and learn what ‘good’ changes look like. If you operate properly locked-down configurations in your environment, this is possible, and it makes spotting – and responding to – malicious activity that much easier.