Cybersecurity is often disappointing – but it’s not for lack of innovation. What may have previously been state-of-the-art can quickly become ineffective in an attack landscape dominated by newer, more sophisticated threats. Perimeter defenses (e.g., firewall, IDS) and security monitoring technologies (e.g., SIEMs) are effective against known threats, using signatures and rules to thwart cyber criminals and protect organizations. However, when threats are unknown (e.g., an advanced multi-stage attack), these traditional cybersecurity technologies fail.
But these advanced attacks are becoming increasingly common, with cyber criminals regularly employing multi-stage attack techniques to bypass perimeter defenses. Once on the inside, they can evade detection for long periods of time, even while laterally spreading out across the organization and resulting in devastating attacks.
We are no longer in a binary world where existing security systems can categorically and accurately classify all threats and attacks. But lowering the bar and generating security alerts on anything that looks suspicious (e.g., creating an overly broad rule in a SIEM) but isn’t harmful just increases alert white noise and adds to analyst fatigue. Decreased analyst efficiency is certainly not a desired outcome for any organization, especially given the acute shortage of qualified security personnel.
We need to think about a new way to combat attacks. My first thought is of Neil Sedaka’s song “Breakin’ Up is Hard to Do” because something fresh and new is needed.
[embed width="400" height=""]https://www.youtube.com/watch?v=tbad22CKlB4[/embed]
However that (i.e., breaking up with perimeter defenses and SIEMs) isn’t a realistic option. You’ll still need protection against known attacks that can be caught by rules and signatures.
What this change in the attack landscape presents is the opportunity to take up an additional love interest, one that will help you combat these new threats. That’s security analytics. The trick to getting this new relationship right is by addressing just three criteria. This will ensure security analytics can have a profound, positive impact on the attack landscape.
- Behavioral analytics that use machine learning must be the foundation. Security analytics should use unsupervised and semi-supervised techniques to ensure that the solution can learn what to look for on its own (remember these advanced threats are unknown), alongside supervised techniques to determine if there is any malicious intent in an action (just because something is anomalous doesn’t automatically mean it is harmful).
- To provide the most accurate portrayal of the attack, security analytics must be able to use a comprehensive mix of data sources (e.g., packets, network flows, logs, files, alerts, and threat intelligence feeds) in analysis. For example, SIEMs primarily rely on logs, and recent research shows that 99 percent of successful attacks went undetected by logs alone. And while these information sources are within reach for all organizations, some of it is more readily available than others, often due to departmental silos that prevent easy access. So security analytics must be able to use any combination of data (e.g., packets only, logs only, packets and logs, etc.) to combat attacks. But make no mistake – having access to more of the right set of data sources translates into superior results.
- Finally, it’s not sufficient to simply flag something as a security alert. There will be situations where security analysts will need to investigate why a potential threat was flagged. Getting this context shouldn’t require the analyst to waste time by pivoting between multiple siloed systems. To support analyst efficiency, forensics must be integrated with the analytics, going all the way down to the packet level, and be accessible from within the same solution.
There are many dos and don’ts when starting a new relationship. In my opinion, the combination of behavioral analytics, a comprehensive mix of data sources and integrated forensics provide security practitioners with a much-broadened set of capabilities that is potentially game changing. Analysts will have complete visibility into attacks, regardless of the subterfuge that cybercriminals use. The ability to hunt for threat – which is very much an art – will be greatly enhanced and available over far longer look backs than is possible now. Fingertip access to context will elevate the capabilities of the folks on the frontline, typically newer to the field of security, to a whole new level and enable them add value in ways that they previously could not.
Let’s face it: layered security is always going to be the way forward. Get into a new relationship that will benefit your old one by adding a comprehensive security analytics solution to your environment. You’ll be all smiles.