There was a time not long ago when IT professionals believed that patching was the path to redemption: “If we can only identify all our vulnerable systems and apply the proper patches to them, then attackers won’t be able to get a foothold,” the reasoning went. Frustrated by the absence of an easy way in, malicious hackers would move on to a different target and pick lower-hanging fruit.

That was a nice theory. Unfortunately, history has proven the theory wrong. Just in recent months, sophisticated and coordinated hacking campaigns against prominent financial services institutions, retail stores, high tech firms and government agencies demonstrated that the threat environment has fundamentally changed. Today, even reputable web sites can be “watering holes” armed with code to exploit previously unknown vulnerabilities on systems used by visitors to the site. Adversaries employing these techniques aren’t likely to be dissuaded by organizations that merely do a “pretty good” job managing security.

Once they have a foothold within an organization, sophisticated attackers use their victim’s access permissions to move laterally through the IT environment; stepping carefully from low value end-user systems to critical file shares, databases and application servers storing sensitive data and intellectual property.

“The fact is that both advanced and unsophisticated attacks can start with the exploitation of a software vulnerability,” said Marc Maiffret, BeyondTrust’s chief technology officer. “But by the time attackers start going after servers and data, they’re not hacking anymore. They’re leveraging their access to move through the environment as an ordinary user would.”

Vulnerabilities Outside, Privileges Inside

If the “how” and “why” of sophisticated attacks are well known, why is it that so many technologically sophisticated firms fall victim to these attacks? One explanation is that many organizations still have a hard time assessing their real risks and allocating resources to them. This is in spite of gigantic IT security investments in the last decade.

Even today, security professionals often have blinkered views of their IT environments. Vulnerability management tools show which IT assets contain high risk (that is: “exploitable”) vulnerabilities and allow security staff to rank or weight those assets according to their importance to the organization. However, IT staff often lacks a corresponding view of user activity on the network. That means even the most tenacious vulnerability management program will fail to stop sophisticated attacks that move quickly from exploits on low value systems to higher-value assets, leveraging legitimate user access in the process.

On the operations side of the IT department, administrators are swimming in logs of application events and user behavior, but cannot see the “forest” of malicious activity for the “trees:” a flood of innocuous-seeming commands, access requests and account creations.