||”the business problem in many companies when it comes to security is how much wasted time their limited security analysts spend following up on individual tool alerts that are not relevant nor critical to the business, all while leaving truly critical threats and vulnerabilities unattended.”|
POSTED: 20 JUL, 2018
Most enterprises have a traditional set of cyber tools such as data loss prevention (DLP), proxy, endpoint protection, and encryption – among others. The technologies are integrated with a SIEM tool to collect and use the data coming from them.
However, the technologies sit in silos and so only collect data based on their individual views of the world. As a result, disjointed data floods the SIEM, as analysts manually try to piece together what it all means and what they should do with that data. The upshot: Truly critical threats get missed. By the time analysts do piece together the paper trail for one threat, it’s only then that they realize it was not a high risk to the organization. Meanwhile the real threats have slipped by.
For example, a proxy tool would send a high-level alert if an employee visited a bad reputation website. But, that doesn’t necessarily mean there’s a threat. Analysts would not easily be able to connect the activity with the employee who was behind the IP address, the endpoint events that may indicate malware, or the beaconing activity that may indicate a command and control point.
To get the most bang for their buck, companies must focus on integration and context.
Additionally, they would not know if it was unusual for that employee to visit this particular site, nor if it was unusual for the employee’s peers and overall team to visit it. Nonetheless, analysts may treat the alert as an active threat, and potentially waste time investigating only to find out it was a false alarm.
On the other hand, analysts may ignore the alert, assuming it was innocuous, only to discover that it was one indicator of many of a greater breach. Or, maybe the employee typically visits the site as part of his personal social activities, which he happened to be doing at work that day, or maybe it is part of a nation state that has taken control of the company’s infrastructure. There’s no way to tell from individual events from silos, even if those events are pulled together in one place, like in a SIEM.
The siloed tool setup is a twofold problem – it causes critical threats to be overlooked, and it does not maximize the millions of dollars companies invest in their cyber security technologies. To get the most bang for their buck, companies must focus on integration and context. Each individual tool is good at what it was designed to do, however without context, such as the value of the asset at risk, and data from other tools in the environment, analysts cannot get a full picture of their cyber risk posture.
Let’s take the WannaCry ransomware, for example. You may recall WannaCry was the most compelling ransomware event in 2017, hitting hundreds of thousands of computers worldwide by exploiting critical vulnerabilities in Windows computers. After the outbreak, many cyber security teams performed vulnerability scanning, found the exploitable applications and manually figured out who owned them. Then, those owners scheduled patching and deployed a patch to every vulnerable application in no prioritized order.
What’s more effective is connecting the dots between the scanning and endpoint protection tools, combined with understanding the value of the application at risk of a compromise, and the impact to the business if it were compromised. The full picture looks like this:
The endpoint protection tool fires off an alert saying the company may have WannaCry in its environment. The scanning tool shows which applications and machines are not patched for WannaCry. Contextual data is added showing which of those vulnerable applications are of high value, those that if compromised, would impact the business the most, and which application owner governs those assets.
For the applications of the highest value and that are vulnerable to WannaCry, the application owner would receive those vulnerabilities for immediate remediation. And, all of this would be automated. By integrating tools and adding context, analysts know exactly which threats and vulnerabilities to act on each day, and waste less time chasing down false positives and less impactful risks. After all, at the end of the day, the business problem in many companies when it comes to security is how much wasted time their limited security analysts spend following up on individual tool alerts that are not relevant nor critical to the business, all while leaving truly critical threats and vulnerabilities unattended.
So, what is needed to bring these siloed technologies together along with contextual information? Cyber risk analytics platforms, such as Symantec Information Centric Analytics (ICA), enable companies to do all of this. ICA brings together telemetry from individual tools, adds contextual information such as the value of the asset at risk, in addition to its proprietary user and entity behavior analytics (UEBA), to prioritize the threats and vulnerabilities that matter most. The platform automatically provides that information to the stakeholders in the business responsible for mitigation.
Here’s an example of how integrating ICA with traditional security tools makes them more effective and efficient. The GDPR became mandatory May 25, 2018. One of the main tenants of the regulation is that organizations must understand which data is sensitive, where that data is located, when it is being moved and any violations related to that data. DLP tracks when people move data that falls under the GDPR. ICA detects any unusual user activity related to that data and brings together that activity with data from DLP. By combining those two data sets along with contextual information such as the fact that the asset at risk is of high value and in the scope of the GDPR, ICA shows analysts that high value, GDPR-related data was about to be exfiltrated by someone who typically does not access that data, and therefore must be investigated immediately.
Many organizations have begun integrating security data and applying cyber risk analytics with their traditional cyber tools or are planning to do so soon. Cyber leaders are realizing it’s impossible for their limited team of analysts to tackle the volume of alerts coupled with amount of data flowing through countless devices and applications. They need something that brings data from their existing cyber tools together to allow them to see the forest from the trees and prioritize the alerts that are real and need immediate investigation.