You never saw it coming. No indicators of attack on your financial data. Then, you get a letter. Your financial information was exposed in a massive data breach. What do you do now? Your identity is forever at risk.

Unfortunately, you can't change where you used to live, when you last refinanced your mortgage or what credit card you just opened. Turning back the clock doesn't change the result. That data will always be out there, exposed.

Turning back the clock on malware yields interesting results

I recently heard Chris Young, CEO of McAfee®, discuss the history of cyber attacks from the first developed malware to today's. Nearly all malware originated from a small handful of attack types. Today however, we are awash in a sea of malware. Millions of malware variants are out there in the wild, some more severe than others. Yet, most are derivatives of those original attacks. The moral of the story? Time doesn't fade all or even some malware. Attacks just get more or less popular over time (ransomware, anyone?).

Then, why do organizations have such a struggle identifying the indicators of these attacks? Perhaps it's been the lack of the right staff, skills, tools, information, or even conventional wisdom that organizations haven't focused on them. If this is the case, why should they continue this seemingly uphill battle?

The importance of indicators of attack

Indicators of attack are inherently proactive. They're like a tornado watch, issued when conditions are favorable for a tornado, but you won't necessarily be dropped into the Land of Oz. Like the gentle rain that turns into the heavy thunderstorm spawning a tornado, indicators of attack are the behavioral traces of the adversary's early actions in your network. An example is when a network device communicates with more devices than its peers.

Indicators of compromise, by contrast, are reactive. The tornado warning is issued when a tornado, or rotation, has been spotted in your area. Time is of the essence and you need to take cover immediately! Indicators of compromise are the funnel cloud — the behavioral traces from the later stages of an attack. An example is when an endpoint communicates with a known bot command-and-control host. The adversary is already well along the path to success or has accomplished its goals. Your focus in the tornado warning is getting to the basement in a flash. In a breach, security’s focus is containing and eradicating the threat quickly. Or in some cases, executing the organization’s damage-control program.

By transferring security's attention toward indicators of attack, abnormal activities can be identified and potential threats analyzed early, when the rain starts. With that analysis, security playbooks can be automated to detect, investigate and act on 'low hanging' threats. In turn, mean time to respond (MTTR) decreases and security operations efficiency increases. Existing staff can up-level and use skills to the fullest, giving security teams more time to focus and collaborate on more difficult challenges.

Moving closer to identifying indicators of attack

Most would say this is sounds much easier said than done. However, organizations are closer than ever to achieving this goal. How? Innovations in streaming analytics enable organizations to use existing security data for greater investigational context more readily than ever before. Additionally, advances in machine learning make it possible for organizations to develop and refine predictive models based on those earlier mentioned indicators of attack.

As Chris Young predicted at McAfee's MPOWER Cybersecurity Summit this year, "analytics and data science will become the norm in cybersecurity." I'm glad McAfee agrees with SAS on this. It's why SAS joined the McAfee Security Innovation alliance and completed our integration of SAS® Cybersecurity with the McAfee® Data Exchange Layer (DXL), enabling the McAfee® ePolicy Orchestrator® (McAfee ePO™) database to perform preventative actions based on the intelligence received over DXL.

SAS integrated our SAS Cybersecurity solution with the McAfee DXL to help organizations see those indicators of attack on their networks. SAS Cybersecurity's advanced and predictive analytics capabilities allow McAfee DXL-compatible customers a single, continually-updated view of each network device's security risk.

The SAS and McAfee combination presents organizations with the weather radar for the 'local security conditions' throughout their networks. Security can now recognize the barometric pressure changes before the rain clouds even form. And, as a result, move closer to staying a step ahead of adversaries.

What do you think? Are organizations ready to embrace a focus on indicators of attack?

McAfee, ePolicy Orchestrator, ePO and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.