“CISOs face a stark reality,” writes Jon Oltsik, Principal Analyst at ESG, in the May 2015 report An Analytics-based Approach to Cybersecurity (PDF). “The processes and technologies they employed for the last 15 years are no longer enough… savvy CISOs will take a step back and examine the threat landscape.”
In recent years advanced persistent threats (APTs) have emerged in that threat landscape, which according to Gartner, “use multistep and multivector attack scenarios that first find vulnerabilities and then attempt to exploit them to move deeper into the enterprise infrastructure.”
Oltsik calls for a more comprehensive cybersecurity strategy that encompasses coordinated early detection and rapid response. He summarizes this analytics-driven approach at the end of the ESG report:
…this new approach to cybersecurity can be viewed as an end-to-end relationship between big data security analytics technologies, cybersecurity strategy, and the infosec team’s skill set. The technology must become more scalable, and become far easier to use. At the same time, security professionals must learn how to be better incident responders by asking the right questions and knowing how to pivot through investigations.
Enterprises are not prepared for the threat landscape
Threat prevention used to be the name of the IT security game. Blocking attacks focused on the beginning of the attack lifecycle and were designed for automated threats like email viruses and spyware, rather than modern APT attacks and other forms that employ multiple steps and dimensions.
In ESG’s view, threat detection and response at many enterprises remain “relatively immature and manually intensive.” Citing a big data survey conducted by ESG in November 2012, Oltsik relates what organizations named as their biggest incident detection/response weaknesses.
Countering the argument that legacy security technologies and approaches are up to the task, he points out that the top three weaknesses pertain to situations where attackers already have access to enterprise systems. The next two responses have to do with trying to stop an attack of the same nature.
- Performing forensic analysis to determine the root cause of a problem (29%)
- Using retrospective remediation to determine the scope of outbreaks, contain them, and remediate malware (28%)
- Analyzing security intelligence to detect security incidents (27%)
- Determining which assets are vulnerable to similar attacks (26%)
- Altering security controls to prevent a similar attack (25%)
Oltsik argues that enterprises must assume that cyberattackers will gain access to their systems and strengthen their security postures with a more complete strategy. This means gaining insight and visibility into their networks, servers, endpoints, applications, and databases.
Problems with SIEM technology
Security information and event management (SIEM) is designed to “collect and correlate security events, logs, and network flow data for security analysis and operations.” So does SIEM technology address the above-mentioned weaknesses? Many security pros might say yes.
However, Oltsik refers to ESG research from November 2012 in which infosec personnel describe four primary problems with SIEMs in threat detection and response.
- Event correlation is based on predefined schemas. This approach allows SIEMs to identify the most important alerts to investigate, but it is less effective when queries are needed to research attacks using multidimensional tactics and to move from system to system.
- SIEM platforms rely on fixed storage. Meaning — relational databases that require all data to be predefined, thus limiting the amount and types of data for analysis. This is manually intensive since end users have to keep up with updates and revisions.
- SIEMs rely on predefined context. The dependence on relational databases also means that additional contexts have to be predefined before they’re applied in a solution. Thus, added contexts like location, security information, and identity require costly customizations and can slow attack responses.
- SIEMS are inflexible. Being an out-of-the-box solution, enterprises have to customize SIEMs for their IT environments; this includes changing correlation rules, adding reports, and adapting non-traditional data sources, all of which can heavily tax an organization’s resources and time.
A new solution: analytics-driven cybersecurity
Oltsik argues that enterprises have to respond to increasingly dangerous cyberattacks through a greater commitment to data collection and processing, along with greater vigilance on security analytics. ESG calls this new approach analytics-driven cybersecurity, which has the following four elements.
- Casting a wider net on relevant data.Because multidimensional cyberattacks can cross numerous systems, networks, and files, security teams have to analyze data across all areas, which requires collecting data from a wide variety of sources and making them available to all members of the security group. Historical analysis must also be included since multidimensional attacks can occur over long time periods.
- Flexible data enhancement. While original data formats have to be preserved, security teams also need to tag, index, enrich, and query any data element to get a wider perspective for threat detection/response. This would enable analysts to add context to data, making it more informative and actionable.
- A wide-angle data lens. Security teams need the ability to shift from one data element to any other using any data field or value in order to follow the evidence from field value to context, tracing the steps attackers have taken. This capability is needed across systems, protocols, network traffic, and historical timeframes.
- A quantum improvement in usability. Systems must provide a simple interface and search-based access to data so that security teams can easily query and understand the data. In addition, systems should permit simple ways to create dashboards and reports for security operations. And lastly, new systems need to offer visual analytics that help teams understand relationships and follow historical trends.