As our customer base has grown, the variety of opinions about what constitutes a threat has grown with it. This variety creates challenges for products like ours, which strive to supply the right epiphanies with little or no configuration required by our customers.
One example of this comes up when we’ve detected what we call “external remote access” behavior in the network. This detection algorithm basically detects remote control of a host inside an organization’s network by an entity outside (in this context, “outside” means not connected via VPN) the network on a connection that has been initiated by the internal host.
An example of this would be a desktop sharing application such as GoToMyPC where an employee decides to make her desktop accessible via her smartphone while she is out of the office. Scarier examples include Remote Access Tools (RATs) such as Poison Ivy, DarkComet or Blackshades that provide the same functionality, but are more highly correlated with targeted attacks.
The presence of external remote access detections in a customer’s networks usually leads to a discussion that places the customer in one of the following two categories:
Threat scoring is an extremely malleable idea. When rational customers don’t agree on the importance of detecting something as potentially dangerous as allowing a connection from the outside into the core of their campus networks, it’s clear that the threat is in the eye of the beholder.