Indicators of Behavior: Catalyzing Security Transformation


By Sam Curry, Chief Security Officer

The long term repercussions from the SolarWinds supply chain attacks have yet to be adequately measured, and we’re only starting to see the U.S. government implement changes in response to the incident. But is throwing more money at the problem a viable strategy?

With annual spending on security continuing to spiral upwards along with the severity of attacks, throwing more money is clearly only part of the answer - it will also require a catalyst in the evolution of early detection capabilities.

We Need to Be Strategic

We need to be strategic in how we leverage finite resources, especially when we are talking about ripping and replacing the legacy technologies that are insufficient against today’s threats. Organizations collectively have already spent trillions of dollars on improving their security posture over the last 20+ years, and simply piling on more of the same won’t do us any good.

Now more than ever, we have the opportunity to focus on innovation and advancing the development of more effective detection capabilities rather than just deploying different iterations of the same old thing. We need to look beyond tools that only leverage retrospective Indicators of Compromise (IOCs), as this artifact-based approach obviously failed to detect the SolarWinds attacks and more.

In an age where sophisticated attackers create unique attack sequences tailored to individual targets, we can no longer expect the IOC artifacts from one attack detected within one organization’s environment to be an effective means to detect and prevent advanced attacks in another organization’s environment.

Instead, we need to look to behavior-based approaches that can detect the rare and advantageous chains of behavior that lay the foundation for SolarWinds-style attacks. We need to shift away from our reliance on known artifacts and move towards leveraging Indicators of Behavior (IOBs), the more subtle chains of activity that can surface an advanced attack long before it can escalate to a major security event.

The Cybereason Defense Platform is specifically designed to defend organizations against never-before-seen malicious activity through an operation-centric approach to security that correlates behaviors that when observed in isolation might appear to be benign, but in combination present a distinct advantage to an attacker.

Behavior-based detections empower security professionals to prioritize what’s actually important so that they can commit their time to addressing potential security issues instead of combing through uncorrelated alerts that lack context and piecing together artifacts from an attack after the fact.

Indicators of Behavior are the key to detecting attacks earlier and remediating against them faster, and solutions that leverage this new approach are already available - just ask a Cybereason Defender how your organization can benefit.

Sustaining Partners