How 'indicators of behavior' deliver left-of-breach security

[InfoSec News <alerts () infosecnews org>]

https://gcn.com/articles/2020/04/10/indicators-of-behavior.aspx

By Nico Fischbach
GCN.com
April 10, 2020

The federal government is taking unprecedented steps to move beyond traditional 
cybersecurity methods and adopt innovative solutions to protect our nation’s 
interests. One example is the recent formation of the Cyberspace Solarium 
Commission -- a collection of representatives from science, academia, business 
and other sectors -- who have come together to make recommendations on how the 
government can better combat today’s rapidly evolving cyber threat. The 
indication is clear: The nation needs a more proactive and outside-the-box 
approach to cybersecurity.

In this new era, traditional methods of detecting a cyberattack, such as 
indicators of compromise, are not enough. IoCs are evidence a cyberattack is 
taking place or, worse, has occurred already. They encompass a wide range of 
data points: a virus signature, suspicious URLs, email phishing campaigns, 
abnormal computer operations, network traffic in little-used ports or via 
tunneling and so on. But while IoCs are useful, they have shortcomings.

Usually, an IoC represents a single event, data point or piece of code. It 
offers hints about what’s happening, but lacks sufficient context. It’s often 
up to a security analyst to string together a large number of IoCs to fully 
understand, from a forensics point of view, what happened. Responding to IoCs 
often means blocking access based on the presence of a particular indicator, 
which can create friction.

In short, IoCs are table stakes. They represent surface-level security, but 
they won’t enable IT pros to identify an insider threat, someone going rogue or 
very advanced attackers.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_