Using Crowd Intelligence To Fight Emerging Threats

October 20, 2017 Emily Davidson

Jeremy Smolik, Channel Systems Engineer at Kaspersky Labs tells the story of how a new malware strain injects itself into RAM without the need for a file or attachment.

“IT personnel rarely lock down their administrative tools,” he says. “Kaspersky Labs found it by scanning RAM and looking for patterns in tools that were compromised.”

Left undetectable by standard security defenses, the new strain exploits legitimate administrative tools like PowerShell. The malware hides for months, snooping credit card data and stealing credentials. Today it lurks on banking computers, ATMs and Domain Controllers.

New malware and ransomware threats emerge constantly. How will the average organization (with an average budget) keep up? “There is a necessity to crowdsource threat intelligence,” Smolik says. IT services transitioned to the cloud rapidly and now it is more important than ever to share security event information. Here’s why

THE RUSH TO ADOPT CLOUD SERVICES LEFT GAPING HOLES IN SECURITY

The implementation of cloud (or hybrid cloud) security technology is never cheap, but neglecting it comes with a heavy penalty. Osterman Research found that the average security event for a large enterprise costs $1 million. In some cases, losses are much higher.

Ransomware costs, on average, $625 per device for an organization. That adds up to millions of dollars in the event of an enterprise-wide breach.

But the loss can stretch beyond technology costs or stolen funds. The fallout can be far more expensive. Newspaper headlines, eroded customer confidence, shareholder action, threatened job security for management and IT professionals, and government fines are just a few of the consequences. IT, therefore, must remain vigilant.

“IF YOU ARE THE CUSTOMER, YOU NEED TO SECURE YOUR OWN DATA AND APPLICATIONS,” SMOLIK ADVISES.

He advises everyone to not just back up their cloud data, but to test their backups regularly. “Only 42% of those hit with ransomware recover their data,” said Smolik. “Their backups either failed, were incomplete or were already infected. Backups can fail, data can get corrupted, and large amounts of organizational data missed. Backup all of the data you send to the cloud, and continue to apply security best practices.”

CROWDSOURCED INTELLIGENCE BATTLES A MALWARE MELEE WITH PROACTIVE DETECTION

To address such a massive amount of malware and ransomware, Kaspersky uses all of its endpoints as security event monitors. “The idea is that all of those endpoints, mobile devices, laptops, mail servers and virtual machines are active as sensors and the platform is monitoring the types of events and traffic patterns that would look suspicious based on what we’ve learned from our cloud intelligence,” Smolik says.

Kaspersky’s crowdsourced pool of research contains 250,000 customers with eighty to one hundred million endpoints connected to it.

EVERY DAY, THESE ENDPOINTS DETECT 600,000 GLOBALLY-TARGETED ATTACK SAMPLES PER SECOND. AT THE END OF THE DAY, KASPERSKY EXPERTS LABEL ROUGHLY 300,000 OF THESE AS UNIQUE, OR NEW ATTACKS.

Smolik continues, “...you’re not only crowdsourcing information [globally] from your network, but using the intelligence to take a proactive approach [to security] because you’re learning about it in near real time,” Smolik adds. “What I mean by that is collecting snippets of data and traffic patterns and events around the world that point to certain malware actors or malware activities that you can proactively protect against.”

Then, the data is fed into Kaspersky’s homogenous solution offerings that employ the same approach, the same dashboard and the same management portal to all endpoints, all servers, and all services. Annually, they publish the top forty threats to the public and customers in a particular enterprise or region can subscribe to those threat reports to stay on top of threats before they hit the news.

SMOLIK’S BIGGEST PIECE OF ADVICE: QUESTION EVERYTHING AND CONSTANTLY EVOLVE YOUR APPROACH

Smolik recommends a multi-layered hybrid cloud approach. It takes multiple security tools and strategies to stay one step ahead of cyber criminals. Implement safeguards both on-premise and in the cloud to ensure all bases are covered. Every single endpoint must be covered: low-tech endpoints such as ATMs, as well as servers, network switches, routers, laptops, desktops, tablets, mobile devices and even sensors.

“It is best to assume that the bad guys are already inside,” said Smolik. “Question everything and constantly evolve your approach. The enemy is always inventing new ways to infiltrate your defenses.”

At the same time, simplify security management. Kaspersky advocates a system that uses the same dashboard for all services, applications, and endpoints. “Management from a single point is essential,” said Smolik. “Take a holistic approach to the cloud that bakes in enough security and best practices.”

Will crowdsourced intelligence be the answer to beating cybercriminals? Smolik answers confidently, “Without using buzzworthy terms I truly believe that we can - as a global organization.”

Previous Article
The 6 Building Blocks Of a Cloud Security Program
The 6 Building Blocks Of a Cloud Security Program

Next Article
The Hidden Value Of Cloud Managed Service Providers
The Hidden Value Of Cloud Managed Service Providers