According to the report by MeriTalk, federal agencies may be missing key indicators of an attack – a pathway into their networks – and unable to correlate threat data points. While the majority of agencies monitor traditional entry points (such as mail servers, the web, and internet gateways), the report found that fewer than half guard data centers (north/south and east/west), SaaS enforcement points, and mobile endpoints. This may impede the organization’s ability to spot discrete malicious behaviors.
Even with the enforcement points that are being monitored, only a little more than half (61 percent) of agencies are capable of automatically distributing information against malicious behaviors across different enforcement points.
Organizations share threat feeds today with the aspiration that these insights will help them prevent new threats on their own networks. Feds subscribe to a daunting amount of threat feeds daily, ingesting an average of such 25 external feeds daily, the report found. Almost half are received via email, drastically increasing the time it takes to distribute new protections based on those insights. Seventy-two percent say it takes a few hours to a few days to assess if a unique threat is present and determine if action is required. Eighty-one percent also state it takes just as long to create actionable changes in their organization’s security posture.
Despite these time-intensive processes, federal security operations teams continue to allocate precious manpower and financial resources to tasks that can be automated. Twenty percent of security operations professionals say 12 or more members of their agency’s security operations center (SOC) team are primarily responsible for:
Creation of custom signatures for security technologies on the network
Correlation of isolated network events that may be related to part of a campaign
Taking threat intelligence from various feeds and making it actionable
Correlating different behaviors (IOCs) to associate them with one or more threat campaigns
Additionally, the report found that many security operations professionals are not utilizing critical advanced threat capabilities. Seventy-one percent of agencies use some form of automated analysis and reports to reduce the volume of data and focus efforts on hunting targeted attacks. However, fewer than half use advanced techniques – specifically, dynamic analysis (48 percent), static analysis (32 percent), and machine learning (19 percent) – which, working together, improve threat analysis and the ability to anticipate future threats.
Despite the need for the automation of prevention, only 30 percent of federal security operations professionals are willing to invest in the automation of signature creation and distribution.
“Agencies are falling into a culture that’s too focused on the legacy, manual way of doing security,” says Steve O’Keeffe, founder, MeriTalk. “Feds need their technology investments – not just their human expertise – to detect new attacks and determine what’s a full-blown, global, coordinated campaign as opposed to an unrelated or one-time event – and act accordingly to quickly and effectively minimize damage.”
For agencies to assess threats as quickly and efficiently as possible, the report outlines the following recommendations:
• Ensure detection and enforcement across all potential attack vectors into the network to detect any anomalies that could be new threats.
• Correlate isolated tactical behaviors as a sign of a bigger attack pattern, as well as isolate network segments to reduce the effectiveness of attacks.
• Prevent new attacks by first analyzing and accurately predicting the next step in the attack (location and behavior) before it occurs.
• Leverage new techniques, like machine learning, dynamic and static analysis, in conjunction. Then, swiftly create new protection and reprogram enforcement points faster than the attack can spread in the network.
More details: https://www.meritalk.com/study/pedal-to-the-metal