There will always be pros and cons about “Is more always better?” but in the context of cyber security, I believe that more information is always better. That’s because more information about attacks, user actions, behaviors, etc., provides security practitioners with what they need to more effectively protect their organizations.
However, you’ve got to be careful about the “more” that you are being given.
Why? Well, let’s start with the fact that threats are getting increasingly sophisticated, to the point where it’s widely agreed that perimeter security alone is no longer a sufficient defense. That’s because it’s no longer a black and white world, where perimeter defenses can definitively categorize something as a threat. We are now operating in a world of gray, where things are more ambiguous and it requires significant skill to accurately pinpoint something as a threat. These sophisticated threats are the key reason that security analysts have come to accept as fact that, for certain classes of threats, perimeter defenses will be breached.
The onus then falls to security monitoring and response systems, operating within the corporate network, to quickly unearth these threats in order to minimize their impact. But in a world of gray, traditional monitoring and response systems based on rules can’t cope. You can write a rule to flag a known threat but that doesn’t work with advanced threats since they are unknown. What these systems will do with any activity that looks vaguely suspicious is to flag it as something to investigate, thus adding to the alert “white noise” problem rather than alleviating it.
The combination of advanced threats, porous perimeter defenses, numerous siloed IT systems, and traditional monitoring and response systems that can’t cope result in huge volumes of data (in the form of alerts about potentially suspicious activities) being pushed at analysts. One estimate is 10,000 security events per day for the average company. Some have it far worse at 10 million attacks per day. That translates into an overwhelmed security team, not great for productivity – after all, real security begins and ends with people.
What’s really needed is more of the right kind of information, the type that helps security analysts better protect their organizations by enabling them to effectively and efficiently separate the real from the innocuous. However, getting this information is easier said than done because it requires an approach that automatically identifies threats, even the unknown ones, within the oceans of data.
An orchestration of machine learning and big data changes things. Big data provides distributed computing and storage capabilities that make economic sense. Machine learning, operating on huge volumes of varied data, provides the advanced insights. This higher order information provides security practitioners with the machine assist needed to make better decisions.
And it’s an assist, not a replacement because, face it, on the other side it’s not solely machines but smart humans who are leveraging machines and constantly trying to breach defenses. The higher order information enabled through the combination of big data and machine learning magnifies the expertise of your security team, allowing them to stay a few steps ahead.