The threats faced by businesses today range from global phenomena, such as oil prices and stock market fluctuations, right down to the tiniest actions. Many large-scale threats exist – and they get a lot of attention from businesses. However, the biggest danger is presented by seemingly small threats, which are often in plain sight.
The rise of insider threats is something very real. As companies grow and the data that they create expands, it’s becoming easier and easier for these threats to hide within a company’s network.
Organizations should be conscious of the risk of employees misusing their legitimate access to systems and information. It’s also important to realize that procuring user details has become simpler for hackers than breaking through increasingly complex firewalls.
Once inside a company’s network, free rein could follow, especially when you consider that attackers are present on a victim network for an average 229 days before they are discovered, according to Mandiant’s 2014 M-Trends Report.
That is, unless companies can effectively analyze their machine data – from security devices but also network data, logins, badge swipes, application usage, website visits and so on – to bolster security. Current security practices are often rules-based, but there’s an essential shift that’s starting to happen.
Security measures need to be focused on analytics. They need to understand risks and match them against the context of business as usual. Compromised user credentials are the new attack surface – and businesses need to spot the difference between a genuine user and a compromised profile.
It’s not easy to know what this looks like. It requires an adaptation of existing practices and an understanding of the ‘normal’ behavior baseline. Establishing this baseline will also help to catch malicious insiders, or someone trying to cover their tracks, as well as dangerous intruders.
The key is being able to analyze machine data in real time to uncover anything anomalous. The barrier for most companies is an operational one. This kind of approach requires a strong commitment to logging, analyzing and correlating data from across the whole IT estate.
It’s the only way to spot anomalies. It could be something as small as someone who works 9-5 using the printer at midnight, or more obvious threats such as repeated access requests to high value information by an employee who has recently handed in their notice. Finding the anomalies in everyday activities is the only way to spot modern threats, which do not conform to the rules-based approaches of many security strategies.
The sheer scale of some companies means that spotting anomalies is not only essential, it is also difficult: having thousands of employees means a lot of activity, creating a lot of data to monitor. And the pressure is on to do this in real time. This is the technical challenge, but the technology exists to identify the tiny fingerprints that indicate a threat today.
The possibilities that exist for cracking into a corporate network are sometimes so inventive that companies are startled. This jolt is exactly what is needed to convince businesses to adopt a new approach to face the most dangerous threats that exist today.
About the Author
Matt Davies is Splunk's EMEA head of marketing. Matt works closely with Splunk customers to help them understand the value that new insights from machine data can deliver to their business. Matt is also one of Splunk's technical evangelists and communicates Splunk's go-to market strategy in the region.