Data Breaches: Don't Blame Security Teams, Blame Lack of Context

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/frontline/2014/10/31/data-breaches-dont-blame-security-teams-blame-lack-of-context/

Cyber security teams are now, more than ever, under great pressure due to
an increased likelihood that their organization will be breached. It is not
surprising that 57% of security experts expect their organizations to be
compromised within the next year. As the news about cyber-attacks becomes
the sad “who’s next?” water cooler discussion, it has become a well known
reality that even the most extensively protected organizations will be
victims of complex hacking operations.

Even though Enterprises spend millions of dollars on cybersecurity
protection and detection solutions, the average breach goes undetected for
229 days. Moreover, once an incident is discovered, it usually takes
another month for security to investigate the overall damage and magnitude
of the cyber-attack. This significantly prolongs response time and has led
to a devastating 3.5 million avg. breach cost for businesses in 2014.

The main reason why security fails to successfully battle complex hacking
operations is not due to a lack of competency or negligence, as some may
think. In reality, it is because security teams desperately lack context.
The truth is, security teams are blinded by thousands of security alerts on
a daily basis from their various security tools. Even the most
sophisticated security teams are unable to comprehend an attack because
most security solutions lack the capabilities to produce cohesive alerts.

When the Human Factor Fails

Because security tools produce a large amount of unwarranted alerts,
security teams must manually investigate them: meticulously weed out false
alerts and connect isolated malicious activities in order to reveal an
attack. In an ideal world, where there is an abundance of highly skilled
security experts, the need for manual investigation would be less
detrimental. However, this security paradigm significantly weakens your
defence for several reasons:

Isolated Alerting = Limited Remediation

Because traditional security systems alert on individual events, security
teams will also remediate isolated issues, without taking historical
evidence into consideration. For instance, IT will be alerted about a virus
on a single endpoint and they will then clean that endpoint. However, they
cannot tell if an employee accidentally brought the virus in from working
at home or someone downloaded the virus from an email. Traditional tools
cannot reveal if the alert was a localized event or a part of a far more
dangerous hacking operation. The inability to see individual events as part
of something larger, will make it very difficult for security teams to
detect and remediate a cyber attack, giving hackers a serious time
advantage.

Alert Blindness

Commonly, security solutions rely on indicators of compromise as triggers
of an alert. These IOCs are based off of very rigid predefined rules. For
example, an alert will be produced when there are multiple failed login
attempts, but because security solutions do not have the capability to
automatically judge alerts by examining other evidence, a large amount of
alerts are produced, many of them are false. 56% of organizations reveal
their concern and say that their security tools produce too many false
positives. This challenge leaves security feeling rightfully uneasy, always
unsure if they have fixed the problem, or if they have missed something
along the way.

Out of Context, Out of Touch

Recent research reveals that 69% of organizations say that their security
tools do not provide enough context for them to understand their risk.
Because many security tools do not focus on the entire IT environment and
only on individual events, cyber attacks can go undetected for long periods
of time. The key is to see a hacker’s every move and this can only be
achieved by having a vast visibility scope and a tool that automatically
connects isolated events in order to provide a more accurate picture for
security to digest. Tools that can bring in context will allow you to tell
if multiple security alerts came from the same source, what circumstances
led to the alert and relate end-user activity to malicious actions.

Automated Context: Relieving the Burden of Investigation

The advancement in big data analytics and machine learning capabilities has
the power to change the current security paradigm. When applied to
security, big data analytics will eliminate the need for manual
investigation and provide a more holistic approach in the battle against
sophisticated cyber attacks. This type of technology can gain context by
monitoring and recording all events and actions taking place within an
organization. After which, such tools can deploy artificial intelligence in
order to judge individual incidents, the way a human brain can. It has the
capabilities to compare isolated events to historical events, external
sources of knowledge and other related communications taking place within
an environment. This aid would empower security’s decision making, close
the gap between detection and response and notably improve security’s
posture, enabling them to successfully combat complex hacking operations.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!