In his memoir “Left of Boom”, former CIA case officer Douglas Laux details his experiences in Afghanistan and the Middle East, and the title of his book refers to the U.S. military’s decades-old efforts to disrupt insurgent cells before they could build or plant bombs. The phrase is also widely used by law enforcement and first responders when discussing the disruption of terror cells and attacks before they occur. The phrase has a lot of utility in the world of cybersecurity, too.
Consider the concept of Left of Boom in terms of endpoint security. Endpoint security tools are vigilant at monitoring endpoint activity and can generate alerts when they detect suspicious behavior, but they also operate very narrowly. They may be overzealous in reporting anything that violates those parameters, leading to high rates of false positives, but they also might fail to notice when adversaries use a company’s legitimate tools against itself -- what’s known as “living off the land”.
This overwhelms security teams with so many alerts that they get buried chasing the false positives while real threats sneak on through. Security analysts need more high-fidelity alerts and less noise.
Further, because security teams are already strained, they need more help stopping attacks as they are underway.
“With this next generation of endpoints, what we’ve seen is that there’s a greater concentration on observation of the [threat] techniques, but not really stopping the threat itself,” said Matt Hickey, vice president of sales engineering at Sophos. “What we need to do is a layered approach on these devices where we are doing device control and we're making sure that only critical applications needed for that user are running on that device.”
Most importantly, he said, security teams need tools that stop cyberthreats “left of boom.”
However, finding and eliminating cyberattacks left of boom requires proactive measures that are capable of disrupting the attacker before they, or their malware, can do any damage. Bonus points if this can be achieved before the adversary can build a persistent presence in the environment. To achieve all of this, Hickey recommends a context-sensitive endpoint defense.
Components of a context-sensitive endpoint defense
To achieve the promises of a context-sensitive defense, the security tools need to be comprehensive, accurate, and swift. Context-sensitive defense achieves this through real-time automation that triggers defenses based on data from the targeted device as well as other contextual data across the environment, such as firewall, identity and access management systems, downloads, third-party APIs, administrative software activity, security event and information management systems, and more. This way, the endpoint security tools are provided more context to identify the actual sources of the threat and generate highly accurate alerts rather than false positives.
By drawing upon these data sources, the context-sensitive defense generates an accurate picture of what is going on and can then take, in many cases, automated actions to stop the attack. In those incidents where automated actions can’t be taken, accurate alerts can be sent to security teams.
As Hickey put it, with context-sensitive defense, security teams will be able to take action on very accurate alerts by pulling in data from multiple sources so that teams are only faced with genuine attacks and not chasing false positives — all before the attacker triggers their payload.
What type of actions can be automated? These can include restricting staff from downloading administrative tools like Powershell, as well as other tools that aren’t needed to perform their job. These are tools that attackers often use to help them conduct their attacks. Additionally, security teams can enable the automatic blocking specific remote internet addresses as they attempt to connect to devices or the network.
These are just some examples in which context-sensitive defense can significantly improve the response to cyber-attacks. Most importantly, these responses all occur “left of boom,” or before the attacker detonates their digital payloads, whether that be destructive malware or a ransomware attack.
With the strain security teams are under nowadays, any help before an attack is successful is certainly going to be welcome.