Hunting the One Percent: Security Then and Now

In the early days of Intel’s connection to the internet, (the mid- to late 90s), I was largely responsible for defending Intel from internet-originated threats, along with making sure that internet services were up and running. My strategy relied primarily on preventative controls, implemented through a complex series of router access lists, configuration, and DMZ zones with bastion hosts, all designed to harden the perimeter of Intel and protect the internal “safe” zone inside. Secondarily, I wrote custom scripts to implement detective controls that looked for a small number of “suspicious” traffic patterns. In today’s world, with BYOD, USB memory sticks, and highly motivated attackers, the perimeter is not so easy to define and secure.

Threats are now so much more sophisticated that handcrafted scripts are simply not going to cut it for detective controls. The latest brief from IT@Intel, “Advanced Persistent Threats:  Hunting the One Percent,” reviews Intel IT’s strategy for dealing with the dangers of advanced persistent threats (APTs).

“The threat landscape is constantly evolving and becoming more sophisticated, which means we have to do all we can to protect our assets, plans, and data from being leaked, compromised, or stolen.” – Brent Conran, Chief Information Security Officer, Intel

Protect (device scanning), Detect (24/7 monitoring), Respond (repair and restore)Unlike my simple strategy that worked in the past, prevention cannot be the main strategy for dealing with APTs.  While traditional security architecture with firewalls, intrusion detection, etc., is still critical, Intel IT’s strategy is to operationalize them to deal with 99% of threats, and focus hunt teams on the most difficult 1% of threats that will make it through preventative controls. Detecting and responding, as shown in the figure, are key actions. Being able to accept data from multiple security appliances and correlate data from those disparate devices centrally is a key functionality for hunting. As the traditional perimeter changes, everyone inside of the organization needs to be security aware, becoming as Xochitl Monteon, Senior Director, Intel Cyber Security, mentions in a podcast, a human perimeter.

It amazes me how security strategy has evolved since the days when I was directly involved in implementing security, making my previous work seem so simplistic. “Advanced Persistent Threats: Hunting the One Percent,” has even more insights and strategies than the ones I described above. In upcoming blog posts, I will highlight some of those individual strategies and tactics in more detail.

Published on Categories SecurityTags , , , ,
Jeff Sedayao

About Jeff Sedayao

Jeff Sedayao is the domain lead for security in Intel's IT@Intel group. He has been an engineer, enterprise architect, and researcher focusing on distributed systems—cloud computing, big data, and security in particular. Jeff has worked in operational, engineering, and architectural roles in Intel's Information Technology group, done Research and Development in Intel Labs, as well as performed technical analysis and Intellectual Property development for a variety of business groups at Intel.