As a system administrator, I am bombarded on a daily basis with pitches and advertisements for security solutions or related webinars and events. Security is a huge business, and it's growing even bigger. As TechRepublic's Alison Rayome reported, "massive cyberattacks and data breaches are driving companies worldwide to increase cybersecurity spending to $96 billion in 2018—up 8% over 2017."
It's important to get the best possible return on the massive amounts of money being invested in security solutions. Just as a burglar alarm does no good if it's not set or a watchdog will fail at his job if a person deemed "friendly" goes unchallenged, merely implementing security tools doesn't complete the mission. These tools must be tweaked, tuned, analyzed and optimized on a periodic basis.
I spoke with Bay Dynamics co-founder and CTO Ryan Stolte about the challenges leaders face with traditional cyber tools and how to overcome them. He stated that various traditional technologies such as data loss prevention, web proxies, endpoint protection and vulnerability scanners are good at what they were built to do, yet breaches continue to occur due to a failure to depict or detect the big picture.
Connect the dots between existing tools and alerts
According to Stolte: "some of the typical challenges of traditional security tools are based on the fact they typically only cover one or few risk vectors." For instance, DLP covers data exfiltration, endpoint protection covers malware, loggers record data which is input into a system, etc.
"The problem here is the tools are not connected and lack context. They sit in siloes, generating alerts that don't connect the dots between users and devices," Stolte said. That context is needed to determine if all those alerts tell a bigger story that must be prioritized or if they are normal business activities. Today's attacks are no longer one-dimensional in nature - stopping them requires a multi dimensional perspective. Attacks are also getting more sophisticated and use machine learning and AI technologies which security vendors are only just starting to use to try and stop them. The solution for handling these challenges is to connect the dots to detect anomalies that can alert you that something is not as it should be. "We all know from experience that there are too many events and too much data for human analysts to pick out the needle from the proverbial haystack," Stolte said.
This means analytics to detect unusual and risky behavior and machine learning to keep up with changing environments or new attack methods are needed to improve security and reduce dependency on human support. Stolte feels that in the future artificial intelligence will increase these capabilities even further.
Stolte compared the range of security alerts to a bell curve, with a small percentage on one end representing certain attacks and another small percentage on the other end signifying certain false positives. The middle section represents a vast majority of alerts which require review and analysis to properly interpret. "The goal of analytics is to shrink that pool of uncertain alerts to a minimum and group them into either the positive/false positive category," he stated.
SEE: Information security incident reporting policy (Tech Pro Research)
Focus on security tactics you can implement today
Our discussion covered how malicious attackers are improving their techniques as well as the latest threats or evolutions on the threat landscape.
"Attacks are getting more and more sophisticated, especially with substantial bad actors like nation states," Stolte said. He believes these attacks will continue to get better at flying under the radar of individual detection tools and will require sophisticated detection mechanisms to thwart. A whole economy has developed based on the sale of ready-made exploits, making advanced attacks available to many more people than would otherwise have been technically capable of such activities.
"Add in the move to the cloud which puts data and systems out of your direct control and IoT geometrically multiplying the number of attack vectors, and you have quite a mess," Stolte said.
Analytics are improving and will continue to advance but they are not the only thing; there are strategies you can focus on today. Good cyber hygiene will continue to aid companies and people in protecting themselves: implementing rigorous and thorough patching mechanisms as well as comprehensive endpoint and data loss protection protection are key strategies and will continue to grow in significance.
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF) (TechRepublic)
It's not enough to focus on working with the tools themselves — you should be mindful of any changes to the underlying infrastructure behind them upon which they depend for functionality. For instance, if proxy server changes take place, this may impact the ability to download software updates or signature files will be downloaded, putting the organization at risk.
Similarly, if internal SMTP messaging gateways change but the security tools aren't updated, no alerts will be generated. The same applies if alerts were configured to be sent to an individual who then leaves the organization - always send alerts to groups.
False confidence in security mechanisms is also a potential pitfall. Just because you're not getting alerts doesn't mean there isn't a problem. Some things can't always be detected - exploits based on social engineering for instance (although user behavioral analytics can alert you if a specific user attempts to log into an unauthorized system as that could indicate a situation involving compromised credentials).
In addition, my experience proves that security education remains essential and it's important to focus on what's currently popular or trending in order to be aware of potential disks. The more popular a device, app or other technology element is, the more likely someone will write an exploit for it, such as the malicious apps which sprung up involving Pokemon Go and attempted to harvest confidential user data.
- 10 bits of career wisdom for beginning cybersecurity professionals (TechRepublic)
- 8 hard truths about working in cybersecurity (TechRepublic)
- How IBM Security is helping cybersecurity pros collaborate like the bad guys (TechRepublic)
- How Puresec aims to safeguard serverless applications from cyberattacks (TechRepublic)
- How your company can measure its 'cyber resilience' and evaluate its posture (ZDNet)
- Symantec: Establish security procedures for the 'inevitable' smart office (ZDNet)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.