Forewarned may be forearmed, but solution providers need reliable weapons in their arsenal to fight cybercrime. Here are tips from LogRhythm's Chief Marketing Officer, Mike Reagan, on what’s needed to address the new threat reality.—Jennifer Bosavage, editor
Nowadays, most CISOs readily acknowledge that it’s not a matter of “if” they’ll be breached, but “when” the breach will occur. In fact, the rapidly shifting threat landscape, fueled by a burgeoning cybercrime economy, has many organizations asking themselves, "Are we already breached and just don’t know it?"
[Related: How to Get Your Arms Around Big Data ]
Today, simply thinking, planning and investing in the necessary security infrastructure won’t keep the criminals out and proprietary information secure.
The new cyberthreat reality is even more concerning when you consider the data that shows most organizations are ill-equipped to recognize the signs of a breach. The 2011 Verizon Data Breach Report showed that 85 percent of reported breaches originally went undetected by the breached organizations. In addition, The 2012 Cyber Threat Readiness survey conducted by LogRhythm reported that less than 30 percent of IT Security Professionals were confident they’d know when user credentials were compromised or hosts were breached. So what’s needed to address the new threat reality for most organizations?
It starts by acknowledging that if the bad guys want to get in, they will. IT security teams need to focus more on real-time monitoring, extending the “net” of data capture, applying context to the information being collected and analyzed and being empowered with actionable intelligence to respond swiftly and effectively when an advanced threat or breach is detected.
Focusing more on detection and response doesn’t mean that point defense technologies (e.g., firewalls, anti-virus/anti-malware, etc.) are no longer relevant. They are as critical as ever because they produce valuable information about what’s happening in and around the enterprise. But for companies to swiftly and efficiently detect and respond to today’s new advanced threats, they need to do more with wealth of information generated across the enterprise and turn it into an actionable plan.
For midsize and large enterprise organizations, the volume of log data generated throughout a network is massive, usually tens or hundreds of millions of logs every day. The volume grows even more when you add important independently generated activity information such as which files are being accessed and by whom, or what processes are starting or stopping on critical servers. No matter how you look at it, we’re talking about Big Data.
Security Information and Event Management solutions (SIEMs) have been handling Big Data for years. They offer a central point of collection, analysis, monitoring and reporting for enterprise activity data. To address the new threat landscape, advanced information security professionals are leveraging next generation SIEM solutions for Big Data real-time security analytics, and do so within an adaptive intelligence framework.
Adaptive intelligence is rooted in the ability to understand what’s normal, so you can recognize what’s abnormal. Historically, network behavioral anomaly detection (NBAD) has provided this capability at the network layer. The concept is still very useful today, but it needs be expanded and applied across the entire enterprise, not simply at one layer.
Organizations need to also be able to quickly analyze all activity on specific hosts, applications, users and networks and establish a baseline of normalcy across all layers. Once that baseline is established, they should add internal and external context feeds such as vulnerability data/state, IAM data, asset classification information, threat intelligence feeds and geo-location data to further clarify what’s normal or acceptable. Once “normal” is established and the dynamic context feeds are in place, enterprise behavior anomaly detection (EBAD) is achievable.
Today’s rapidly advancing cyberthreat landscape requires IT security teams to employ an adaptive intelligence framework that takes Big Data security analytics beyond just after-the-fact forensic investigation and applies it in real time to recognize the indicators of an advanced threat or breach.
An adaptive intelligence framework based upon next generation SIEM can deliver the Big Data real-time security analytics necessary to help customers remove blind spots and identify sophisticated threats and breaches today and tomorrow.
