- Ngoc Huynh
Cyber attacks are all over the news, and it seems like no one is immune — Home Depot, Target, Adobe and eBay included. So why are CIOs still fighting cyber criminals with one hand tied behind their backs?
Shockingly, most companies are still relying on outdated, only partially effective methods to protect their sensitive data, mainly with technology that focuses on preventing incoming attacks. But actually stopping bad guys from slipping inside enterprise networks and getting their hands on sensitive data is nearly impossible these days. In fact, among organizations with over 5,000 computers, over 90 percent have an active breach of some sort at any given time. What’s worse, those organizations may not even know about it.
It’s time for CIOs to start focusing on the next line of defense in the war against cyber crime: an emerging area called breach detection, which focuses on identifying long-tail intrusions after they happen and mitigating their damage, partly through the use of big-data technologies. Your company’s information security may depend on it.
Breach Detection — The Last Line of Defense
All these factors point to the need for robust breach detection to provide a “last line of defense” against these attacks, instead of just focusing on blocking the initial wave of the intrusion.
While after-the-fact detection is not a new concept, the old generation of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) technologies generally fall short in today’s data-center environment. Why?
- They rely on pre-defined rules/signatures to detect breaches. In a world of bespoke attacks, such solutions will often miss the most relevant alerts.
- Low signal-to-noise. Imagine being flooded with hundreds or even thousands of alerts per day—each one representing a potential breach to your organization’s most sensitive data. It is no surprise that Target, like many others, missed the warning signs of the attack, like the proverbial forest for the trees.
- Limited visibility due to being deployed at the security perimeter or relying on log files. Without access to a rich data set that expands beyond the perimeter and includes all of the raw information (as opposed to a log file, which is a derivative of it), these tools are undermined in their ability to properly detect threats.
Next-gen breach detection is solving, in essence, a classic big-data problem: To be effective, these tools need to analyze a great variety of data in high volume, and at great velocity, to determine potential breaches. Most important, the tools must be precise; too many false positives and their reports will quickly be ignored, just like the boy who cried wolf.
A new crop of next-generation startups are working on this. They include Aorato, Bit9, Cybereason, Exabeam, Fortscale, LightCyber, Seculert, and Vectra Networks. Rather than relying on detecting known signatures, these companies marry big-data techniques, such as machine learning, with deep cyber security expertise to profile and understand user and machine behavior patterns, enabling them to detect this new breed of attacks. And to avoid flooding security professionals in a sea of useless alerts, these companies try to minimize the number of alerts and provide rich user interfaces that enable interactive exploration and investigation.
To help illustrate how these new technologies work, think of all of the online “breadcrumbs” that an attacker inevitably leaves behind during each step of the attack.
He generates network connections to command and control servers, for example. He moves across the organization in ways that are ever so slightly different from what’s normal; he may use whatever credentials he can get his hands on to try to access sensitive resources (e.g. tries to access proprietary code on development servers using a sales executive’s login). New breach-detection startups can sense all of these movements and changes. Combined with an intimate understanding of how hackers operate, they are able to finally piece together all the puzzle pieces in real-time before more significant damage has occurred.
There is a lot at stake here. In the end, solutions that effectively cut through the noise and point up just a handful of highly relevant, actionable security alerts will likely become an important “last line of defense” and a key component of the next-gen enterprise security stack.
Source : https://techcrunch.com