Published on April 2, 2013
Recent events have caused IT security professionals to reevaluate the way they think about the threat environment. First, DDoS attacks can go from a minor annoyance to an existential threat, given sufficient compute resources and bandwidth. Second, state sponsored hacking and espionage is going to be a huge ongoing problem with second- and third-order ripple effects on international trade, diplomacy and global economics. And third, the ability of IT security organizations to detect and prevent targeted and advanced malware attacks is being called into question.
Despite the money and resources being thrown into attempts to harden the network perimeter such as AV and Identity and Access Management tools, these attacks just keep on happening, and Information Security leaders are increasingly being forced to confront the fact that they do not know how to prevent them. The thought that there are open doors into the most critical parts of their network infrastructure that they not only can’t close, they can’t even detect, keeps people in our profession awake at night.
There is no doubt that malware is becoming more sophisticated, using targeted phishing tactics coupled with constantly evolving social engineering and an in-depth understanding of network security systems to target either unusually vulnerable accounts or those with highly privileged access entitlements. What it means is that the insider threat is a double – edged sword – your users may be unaware they are complicit in enabling attack vectors into the heart of the network.
In a recent survey from Bit9, more than half of global server administrators rated advanced targeted malware attacks as the greatest threat, and over a quarter of them said they had already been the victim of such attacks. This increasing awareness of the virulence and effectiveness of these attacks is resulting in a change of attitude in the Information Security community. No longer can security administrators ask “is my security infrastructure sufficient to protect my network, data and customers from most threats?”, but rather they must acknowledge “our IT security efforts have not been effective, and we need additional tools or resources to provide a reasonable level of security”.
But if the vast array of network security products and services available today are not sufficient to protect against these threats, what can we do? What we need to do is think more broadly about what we expect from our security stack. Why, for example, in 2013, should network user, identity and activity data remain completely un-integrated, separate silos of data that cannot be assembled into an integrated “Security Warehouse” sort of arrangement, so that correlations and relationships between disparate data types and sources can be discovered and analyzed? For that matter, with all the leaps in big data analysis and machine intelligence that have been made in recent years, why can we not apply a flexible set of intelligent algorithms to that integrated data that can learn what normal behaviors look like in order to detect abnormal, suspicious user activity anywhere in the network stack in real time? It is of very limited value to discover that your organization has been compromised by these advanced attacks long after the fact. If you cannot prevent them, you must be able to detect them as they happen.
Fortunately, this is precisely what Securonix does today. The Securonix security intelligence platform functions both as a data integration tool for all your network, user and security data, and as an intelligence system for monitoring events and activities in real time. In the Securonix platform, activity is correlated to actual user identity, behavior is measured against a profile baseline AND multiple peer groups in order to detect suspicious outlier behavior as it happens.. This is real, actionable intelligence you can act on immediately to safeguard your data and customers, and because of the broad array of data sources and the inherent intelligence of the platform, false positives are reduced to virtually zero.
There is no doubt that these attacks are taking place right now, and we have to face the very real possibility that operational IT security teams are falling behind in an arms race we just can’t afford to lose. Why spend another day not knowing who – or what – is in your network? Call Securonix today to arrange a demo or a free trial.