Traditional defenses stop a lot of attacks, but still let some through; and what is needed is better use of what already exists. This has led to a new focus on what has become known as big data analytics. In its simplest form it requires the security team to analyze all of the data produced by all of the point devices within the IT estate – but this in turn suffers from two major drawbacks. Firstly, there is a lack of personnel able to adequately analyze all of the different elements that make up a threat; and secondly, the sheer volume of data that needs to be analyzed simply swamps the security team.
David Garfield, MD cyber security at BAE Systems Detica, put this in perspective for Infosecurity, both in terms of problem and solution. “One of our customers,” he said, “was receiving 500,000,000 alerts from its security estate every day. This was obviously overwhelming the security team. We were able bring that down to just 50-100 high impact risks that they needed to investigate and process.” Detica has today released the product in question – CyberReveal – and agreed to talk to Infosecurity about big data analytics in general.
“The tendency to use security point products,” he explained, “is creating an increasingly complex IT security landscape – one that is complex to manage and doesn’t necessarily create a coherent whole story. All of these point devices are firing off all sorts of alerts and events that are entirely overwhelming the security operations teams – and in addition to that they are also very expensive; not just in the equipment, but in the teams required to manage them.
The final point,” he added, “is that this approach is proven to be pretty ineffective – just consider all the very successful attacks by APT groups extracting a huge amount of value out of very many organizations; plus the sophisticated criminal groups coming from eastern Europe perpetrating similar crimes. All of this is happening despite the £multi-million security spend in the big organizations.” The reason, believes Detica, is that point products typically look for signatures or strong indicators of an attack at a particular point on the estate. “Doing that,” said Garfield, “is inevitably going to fail because the way these attacks work is that no one indicator is a particularly strong indicator – it is the behavior overall that causes the problem and that needs to be monitored rather than any individual action on the network.”
He put this in context. The key, he said, is understanding all the different steps that make up a breach, and being able to correlate both the different events and the sequence in which they happen, wherever and whenever they occur on the estate. “For example,” he explained, “recognizing that a similar email containing a potentially suspicious link has been received by five different people on the network; and that, say, 2 of the 5 opened that email. Then seeing that the PCs of both of those users started to run a process that had not been seen before; and that the process itself was running from the Recycle Bin and causing other things to happen. Any one of these indicators could be insignificant in itself; but it’s when you see all of them connected together in sequence that they become significant and demand a response.”
In theory, all of the steps involved in data analytics can be performed manually; in practice they cannot and are not. “What often happens when a company installs a new IDS system,” said Garfield, “is that the security team gets overwhelmed by the alerts it generates - so they retune it to return just a manageable number of alerts. By definition, the more covert and long term damaging threats are automatically ignored. What automated big data analytics does is allow you to run the point alerting systems at full power; and use the analytics system to sift through the alerts and highlight the high priority problems - it essentially pulls together all the different security tools that you might be running into a single environment with the prioritized view, and allows you to investigate in a very efficient manner.”
The result, he claims, is that since the analytics allows a smaller team to do more efficient analysis and remediation, the primary effect of big data analytics is more cost-effective and more cost-efficient security.