Home » Technology » Security » How Can Data Automation Help Improve Cyber Security?
It’s no secret that data breaches are bad news. The Yahoo breach will go down in the history books as the largest breach to date, but that doesn’t mean that smaller and just as damaging breaches aren’t taking place every single day. Because they are. The scale of Yahoo’s breach may be unparalleled, but the problems are not. The simple fact is that it takes way too long to discover and resolve breaches, and something has to be done about it.
According to a report by the SANS Institute, the majority of companies already spend up to twelve percent of their annual IT budget on security. The motivating factors span a wide variety of business drivers, including everything from the need to protect sensitive data to regulatory compliance, and a more generic need to improve incident response.
In the past, this traditional security methodology has relied almost exclusively on incremental improvements and updated signatures used in firewalls, intrusion detection and prevention technologies and security information and event management (SIEM) devices. I don’t want to sound disparaging about these devices, because they are fantastic at what they do. But they’re not perfect. In recent years hackers have become much better at developing (and sharing) smarter, better targeted and more automated tools that bombard enterprise security systems with a flood of old and new (zero day) attacks. It takes just one chink in the security armor for a hacker to quietly gain access to an enterprise network and sit there undetected for many months while looking around and preparing to exfiltrate valuable data.
We know that organizations are in a constant arms race with hackers, and we shouldn’t expect this to change any time soon. In fact it will probably get worse. The latest IBM and Ponemon 2016 Cost of Data Breach Study (link) found that malicious and criminal attacks took an average of 229 days to discover and an additional 82 days to resolve. Why so long? This is a complex issue, but a lot of the blame lies in the fact that security analysts are overwhelmed with data. As more and more alerts are generated by an enterprise’s IDS / IPS devices, analysts can only investigate a handful each day.
So what’s the solution? The simple answer is that security analysts need the tools and the processes to work more efficiently. If we accept the fact that some attacks are going to breach even our best defences, then the logical step is to improve the way that we respond. In practice, this means two things; being able to discover breaches faster, and being able to resolve them faster. It never ceases to amaze me that companies deploy security solutions to produce all these alerts, but they don’t have the bandwidth to analyse them. The most logical reasons are that security analysts don’t have access to the right data and they cannot access it quickly enough. This is a huge problem. Current solutions require a multi-step process where security analysts go to multiple systems for aggregated yet uncorrelated data, then to specific computers for detailed information, and then must correlate all the data manually. The very best data is in the network packets, but none of it is indexed to the alert, and access to such data is typically a network function, not a security function. And if the alert is older than a few days, then the original packet data have probably been discarded. Security engineers need access to all of the packets related to an alert right at their fingertips, at the click of a button.
As alerts are received from a security system, a computer should parse them, storing the network packet data that correlates with the source of the alert. Packet data related to IP addresses and log data from a SIEM can be pulled together in the background, making it easier for an analyst to access the data with a single click to evaluate whether an issue needs further investigation. If they see, for example, that log and packet data don’t match, then a deeper look is warranted.
Automating alert-related data collection will allow that data to be stored in a central location, but that one place doesn’t exist yet. Currently, analysts typically go to something like a SIEM dashboard, log into a host machine or other UI, switching between multiple software applications or devices to access information. This is ridiculously time consuming and inefficient. The security industry needs to develop automated processes that automatically collect relevant ‘suspicious’ packet data and make it readily available for analysts. This will make their jobs more efficient, while helping them investigate more alerts each day. If that can happen, I think it’s reasonable to expect analysts’ productivity to increase significantly.