It may sound clichéd to say that managing security threats inside an enterprise environment isn't like it used to be, but this is the honest truth. It's no longer a question of whether portions of your environment are compromised, but rather now it is a question of when you will figure it out.

In other words, most security professionals currently take the posture that assets within their control have already been compromised and that active measures must be taken on a daily basis to find any occurrences of these Indicators of Compromise (IoC).

This is not to say that you should give up on perimeter security because the effort is moot; security teams still need a solid set of rules and policies that will safeguard internal assets from the outside threats that are trying to get into an environment. Firewalls and other perimeter defense techniques are just as relevant as ever. However, it's not always the case that the threat is outside looking to get in; you must obviously try to prevent someone on the inside from reaching out and facilitating a compromise, such as an email phishing scenario or a drive-by attack when visiting a compromised website that may allow for the installation of malware. Certainly, some conservative organizations mitigate this by being very selective as to which outside websites are even visible from within the company network.

Even though your perimeter rules and corporate policies seem to be prudent, they will not suffice on their own. Security professionals now orient their daily tasks around threat intelligence programs to help them understand this better:

• Which most recent types of attacks and adversaries are prominent
• What goals and objectives attackers would look for in the organization
• What methodologies malicious actors are employing to infiltrate organizations

These key concepts allow security teams to clearly understand the motivation of their adversary, perform threat hunting, and mitigate risk.

Then, it all comes down to being able to anticipate attacks that become more and more sophisticated over time. In other words, the challenge of IT security professionals is making the data actionable to be able to do the following:

• Detect IoCs existing in near-real time
• Prioritize these incidents based on the risk for the organization
• Proactively contain and/or resolve the incident

There's no doubt that the most critical part of the preceding points is how to scale the technical infrastructure with regards to the massive amount of information and how to scale the human understanding of the data, all while fighting an ever-changing landscape of attacks.

In this chapter, we will cover the following topics:

• How to use Elastic ML to detect behavioral-based anomalies
• Understanding the details of a long vector attack
• Threat hunting for those details of an attack
• Taking actions based on the analytics results