Cyber threats are becoming extremely sophisticated, as evidenced by the many high-profile breaches over the last few years. Organizations are confronting a new reality where they must accept that they are likely to be impacted, despite their best attempts to keep these threats out altogether. They need quicker and better ways to discover, investigate and remediate these threats. Marrying Big Data with machine learning can help address this challenge by providing security professionals with the Big Data security analytics (BDSA) they need to thwart the bad guys.
Without a doubt, when BDSA is used correctly, it is extremely beneficial to an organization. However, there are many false claims around the capabilities of BDSA. When considering BDSA solutions, analysts need to carefully evaluate these capabilities and determine whether their organizations’ needs for detection of attacks on the inside and incident response are being met. In this slideshow, John Dasher, vice president of marketing at Niara, a cybersecurity company focused on Big Data analytics, has identified six common myths to consider when deploying BDSA solutions.
Six Common BDSA Myths
Click through for six common myths that should be considered when deploying a BDSA solution, as identified by John Dasher, vice president of marketing at Niara.
Reduces Need for Security Pros
Myth #1: Security analytics reduces the need for security professionals.
The huge volume of IT alerts and the sophistication of attacks require BDSA to use machine learning to automatically surface threats, making security professionals obsolete.
Why it’s a myth: BDSA provides the machine assist by identifying markers of advanced attacks, but still requires security professionals to examine the analytics and evidence. Threats are becoming increasingly sophisticated and are constantly evolving, so experienced professionals are needed to ensure that BDSA systems are working correctly.
Myth #2: Real-time detection of advanced attacks is possible.
Faster processors and huge investments in perimeter defense mean that all threats, even advanced ones like multi-stage attacks, can be detected and prevented in real time.
Why it’s a myth: It’s easy when threats are known – rules can be written. But it’s infinitely more difficult in the realm of the unknown, which is the case with advanced threats. The markers associated with advanced threats like multi-stage attacks are weak, often barely rising above the noise. If you are alerted on all weak signals, your security team will be overwhelmed. However, BDSA supported with machine learning automatically surfaces these advanced attacks without rules having to be written, and even as the attacks evolve. So while real-time detection isn’t possible, BDSA helps to quickly mitigate the impact of advanced attacks that get past perimeter defenses.
Single-Source Threat Visibility
Myth #3: A single data source enables comprehensive threat visibility.
Risk profiles provide a holistic view of the threat landscape. Many solutions claim to enable this holistic view by applying analytics against a single data source – e.g., log data.
Why it’s a myth: Analytics on a single source (e.g., logs) provides some insight, but more variety (i.e., the addition of packets) enables better visibility. For example, with logs you can see what URLs a browser accessed, but with packets you can also examine the content being exchanged, which can determine whether something is (or is not) a threat. Of course, at the end of the day, it depends on your organization’s needs and which data sources are most easily available. What’s important to keep in mind is that your BDSA solution should be flexible enough to provide accurate, rich analytics, whether using a single data source or multiple.
Myth #4: Traditional approaches support discovery of advanced threats.
Traditional security monitoring and response solutions, in which organizations have significant investments, can be easily modified to provide the analytics needed to detect advanced threats.
Why it’s a myth: Traditional solutions are built on technologies that cannot scale to the volumes and variety of data being generated in modern organizations. They are rule-based, which is ineffective for unknown attacks. The inability to scale and the lack of self-learning analytics operating on Big Data means that they aren’t effective against advanced, multi-stage attacks.
User Behavior Analytics
Myth #5: User behavior analytics is all you need.
User behavior analytics (UBA), which profiles user behavior to identify bad actors (i.e., malicious insiders, compromised users, etc.), is the only thing needed to detect advanced attacks.
Why it’s a myth: Behavioral analytics is key to discovering advanced attacks, but it’s not only users who should be profiled, as devices and applications should also be in the mix. What’s really needed is entity behavior analytics. While UBA identifies anomalous activity, attributing maliciousness is a different matter. Producing an alert for every anomaly just adds to alert white noise, as there will be false positives. Behavioral analytics must be combined with a) discrete analytics, which look at data at a singular point in time in a stateless and entity-less manner and b) forensics, which provide the supporting evidence needed to triage and investigate alerts. The three together can establish the maliciousness of anomalous activity and, given the probabilistic nature of UBA, provide a means to check the accuracy of identified attacks.
Myth #6: Analytics alone are sufficient.
Given all the information out there, you’d think that analytics alone are all that you need for the discovery of advanced attacks.
Why it’s a myth: Analytics are valuable, but as threats are becoming more and more sophisticated and constantly evolving, security teams need some way to verify that the attacks surfaced by BDSA are in fact real. Forensics – employed at the very low-level raw data layer to events in a timeline history – provide analysts with this needed context, but they shouldn’t have to search across multiple data silos to get it. Forensics must be an intrinsic part of BDSA, providing analysts with easy access to the information and evidence they need to verify the veracity of threats.