Cyber attacks happen regularly and make the news, despite many organizations significantly investing in cyber defenses, sometimes to the tune of 100s of millions of dollars. In the past, there was a certain malaise around these breaches, with affected companies getting a slap on the wrist, suffering some embarrassment in the press, maybe paying a small fine and then getting back to business as usual. But things are different now and the impact of a breach has far more significant consequences. Fines are much larger (e.g., FCC imposes record-breaking $25 million fine). Jobs can be lost (e.g., Sony co-chairman was fired). Real money gets stolen (e.g., Cybercrime ring steals $1 billion from banks). Physical damage occurs (e.g., German steel mill suffers massive damage due to cyber attack). Business grinds to a halt (e.g., DDoS attack grounds Poland’s national airline). And organizations often suffer a massive loss of reputation (e.g., OPM breach compromises personal records of 4.2 million).
And that’s not the worst of it. Given how creative hackers have become, it’s no longer sufficient to figure out that the attack happened and deal with the consequences. You need to be able to find what else may have been affected and if hackers have breached defenses to install another slumbering attack that can strike in the future.
But both are easier said than done, though figuring out what else may have been affected is comparatively simpler to do. With that, at least you may know what to look for. If your organization maintains a repository of necessary information, then you can search for the appropriate indicators of compromise (IoC). Of course, I’m grossly simplifying things. The information needed is generally not centrally available in one repository, which means analysts have to search across multiple data siloes. Most organizations don’t retain records for nearly long enough. How can an analyst search for a specific IoC going back six months, a year, or more to find who and what was affected by the most recent breach? Clearly figuring out who and what else may have been affected, even after you know about an attack, is no easy feat.
However, the more challenging problem is figuring out what slumbering attacks are still lurking within your organization. But where do you begin when you don’t know what you are looking for? The skills of advanced security professionals become important in this situation. They can use intuition, honed through experience, to propose and test hypotheses and hunt for threats.
Modern IT systems produce huge volumes of data with relevant security information embedded within. Manually combing through all the data is not feasible (especially given the shortage of experienced cyber security talent), yet leaving data unexamined can result in attacks being overlooked. In the quest to unearth sophisticated, slowly gestating attacks, analysts clearly need help wading through these oceans of data and rapidly testing hypotheses.
This is where a comprehensive security analytics platform, such as Niara’s, can play a significant role. Niara’s big data architecture makes sophisticated analytics and long-term data retention economically feasible.
Niara’s solution continuously applies both behavioral analytics and discrete analytics to the reams of data coming in. When appropriate, alerts are raised for immediate attention. And even if the analytics don’t generate an alert, the data is still tagged with the output of the analytics (e.g., the HTTP hop count). This provides a higher-order taxonomy (e.g., searching for HTTP hop counts that are greater than one, which often indicate the presence of malware) that’s not available through raw data. The benefit of this continuous enrichment of data is that when analysts need to test hypotheses, they can do so quickly without having to first analyze the raw data.
Having forensics integrated into the platform permits immediate access to contextually relevant evidence – no more having to pivot between siloed systems. But innovations like data reduction, policy-based packet retention and real-time compression coupled with the underlying big data architecture take it a step further by enabling the retention of the supporting evidence for significantly longer time periods. As a result, figuring out who and what else may have been affected when you don’t know what you are looking for becomes so much easier, even if you have to look really far back in time.
An unfortunate fact of the modern attack landscape is that your defenses will be breached. Your task is to make sure you are able to find the attack as it unfolds, not after the damage has been done, speeding both detection and remediation. Security analytics that integrate behavioral analytics and forensics make that possible, quickly limiting the damage a given attack can inflict.