Browse by year:
The State of the Cyberstate
Amit Yoran
Thursday, December 30, 2010
2010 In Perspective

Cybercrime and other politically and economically motivated attacks on public and private networks have crossed the line from a looming threat to a cost of doing business.

The infamous Aurora attack on Google, Intel and other companies underscored both the potency of data theft and the acknowledgement by corporate America that, for now, the battle is being lost. Recent SEC filings – from Google to Northrop Grumman – are now including shareholder risk language to protect corporations in an environment where cyber defense is an inexact science, and where online pillaging presents explosive growth opportunities for adversaries with little upfront investment.

In 2010 the Kneber botnet, provided a perfect representation of the state of the cyberstate. A medium sized instance of the well-known ZeuS botnet, the operators behind Kneber slipped past what should have been more-than-adequate defenses within over 2,500 companies. They remained entrenched in these companies for more than 18 months, and in one month alone managed a massive data theft totaling 75GB of sensitive data. But, for all that was said to be average about the malware involved in Kneber, and Aurora, these attacks on corporations are representative of new “offensive-in-depth” methodologies that are multilayered, multifaceted, advanced threats.

Gaps In Effectiveness

Surveys by Verizon and the Ponemon Institute provide insight into what organizations are seeing and doing, in terms of the state of cyber security. The survey results highlight systemic failures in people, process and technology that are too stark to ignore. Among the most prominent findings are:
l The need for change is compelling (Ponemon Survey):
m 81 percent felt that their leadership lacked awareness of the seriousness of advanced threats.
m Only 32 percent report that their current security-enabling technologies are adequate to deal with the growing threat from undetected malware
m Only 26 percent report that the training of their security personnel is adequate to deal with advanced threats.
l Insider threat is compelling too (Verizon Survey):
m 48 percent of data breaches are caused by insiders
m 48 percent are the result of privilege misuse
m 61 percent were discovered by a third party versus the victim organization
l Detection of advanced threats is low (Ponemon Survey)
m 46 percent took one month or longer to detect an advanced threat
m 45 percent discovered these threats “by accident”

How have organizations found themselves in this untenable position, and why has this evolution of powerful adversaries and unstoppable malware seemingly taken them by surprise? Ultimately, the answer lies in the fact that attackers live in an unbounded and rapidly innovating environment, while many security programs have based success on the inadequate requirements of compliance programs or have implemented security paradigms lacking agility and headroom for new threat vectors.

Born in the days of slow moving viruses and “inconvenience attacks,” such as distributed denial of service (DDOS) and web site defacements, many security programs have proceeded along a simple, response-stimulus mentality. The goal has been to attempt to keep pace with attack and exploit development – an approach that from inception has relied on tolerance for acceptable losses and collateral damage. In the current doctrine, an attack had to occur before cyber-defenders could conceive of a proper defense, and there was no allowance in this paradigm for the geometric increases in attack velocity and complexity.

At the same time, attackers have become more sophisticated, targeted, and better financed. Adversary networks are intelligent enough to typically fly below the detection radar and make effective use of common technology advances – multilayer attacks, redundancy, and both peer to peer and cloud computing concepts. Attackers also continue to prey on the weakest link – human nature and good will – to circumvent even the best enterprise defenses. Cases in point, Aurora initially breached defenses through a phishing attack via webmail, and Kneber used competing botnet technologies – Zeus and Waledac – to provide “backup” redundancy.

The anonymity, flexibility, and complexity of the Internet and the current technology landscape favor the aggressor and severely challenge the defender. Unfortunately, the combination of conventional wisdom, designer malware, fear mongering, and margin protection has perpetuated a security model that has long been rendered obsolete.

The Way Forward

Apart from discussions of specific technologies, there are three critical areas both government and commercial organizations must address to achieve a deeper level in cyber defense footing:

Understand the criticality of detection in enterprise cyber security strategies. It would be great if organizations could implement a silver bullet prevention technology that would kill all malware, data leakage, and other unwanted network communications. But such technologies clearly do not exist today and will likely never be 100 percent effective due to the problems stated previously in this article. Any forward-leaning cyber security strategy must include a comprehensive technology architecture committed to network analysis and visibility.

Achieve defense in depth, not protection in pieces. There must be an executive level commitment within all organizations to mapping, understanding and addressing global business risk, not knee jerk threat protection through point security solutions. Organizations must deploy solutions that are robust, and that offer the agility to adapt and respond to any threat on the horizon. The goal is real-time situational awareness and the variety of analytics required to detect and thwart new attacks as they occur.

Continue to patch the human vulnerabilities.

All staff must understand the true nature of current threat landscape and be engaged in the process of identifying real risks to the enterprise, at both policy and technical level. Organizations must decrease their reliance on blinking lights as an indicator of a problem and empower everyone on the front lines to be an analyst contributing to the collective cyber intelligence of the organization.


The state of the cyberstate became more challenging in 2010, due to an increase in better-equipped adversaries and the lowering limits of preventive technologies. But all is not lost for cyber defenders in government and commercial organizations in 2011. By making detection a fundamental and well-funded security strategy, and leveraging the vast amount of network data that can be recorded, fused, and analyzed in real time, organizations can find everything from unwanted data leakage by misbehaving employees or external attackers, to the kind of zero day malware that was previously believed to be undetectable. The answers are in the network – organizations just have to ask the right questions.

Amit Yoran
CEO of NetWitness
Share on LinkedIn