December 22, 2021 by Brian Dye
Last week I had the privilege to be in Washington, DC talking to a group of defenders. I heard a clear pattern of words: “data-driven,” “telemetry-first,” and “visibility”. The defenders were focused on having the right telemetry to investigate both routine incidents and advanced attacks, because (1) while they can add analytics later, they can’t recreate the DATA that those analytics depend on, and (2) better coverage reduces the attacker’s ability to maneuver without hitting defensive telemetry. The defender’s dilemma (adversaries only have to get it right once) becomes the attacker’s dilemma (defenders only have to find one of their moves).
Then Log4jShell happened, which follows Sunburst as a prime example of why leading defenders pursue data-driven strategies. With such a wide range of exploit paths in Log4Shell, there is no one “detection.” The winning approach directly detects the most common exploit paths then relies on data - both in its raw form and fed into multiple, evolving analytics - to expose both new / less common exploit paths. More importantly, defenders can look back in time and see exploits that happened prior to disclosure. Without the right data, you are blind.
We see four elements of this strategy:
With so many rushing to address the latest vulnerability, our investigation and remediation work today has to address the crisis at hand. However, leaders need to look at the implications of Log4Shell to better equip our teams for the next battle. Never waste a good crisis! Follow the lead of elite defenders and adopt data-driven security as a key pillar of your 2022 strategy.
By Brian Dye, CEO of Corelight