One complaint we often get from security practitioners we work with comes across more as a cry for help: They’re practically drowning in security alerts and can’t catch their breath. With the advent of numerous security tools to identify potential breaches comes a virtual tsunami of incidents to swim through. Data loss prevention (DLP), web proxy and other policy-based tools do a fantastic job of flagging possible malicious behavior, both inside and outside the network, but every event they produce creates more work for short-staffed remediation teams suffering from security “alert fatigue.”
Relying on manual intervention based on severity simply doesn’t work anymore. Not only is it far too time consuming and unrealistic to analyze thousands (or hundreds of thousands) of incidents a day (depending on the size of the company and its policy configurations), but relying on severity alone is misguided. High-severity false positives that may simply signify a broken business process and distract us from lower-severity incidents triggered over a period of time can indicate a low-and-slow data leakage event. With all the noise generated from security tools, it’s no wonder some of the most famous breaches in recent years went virtually unnoticed by cyber response teams.
Target and Home Depot are perfect examples of cybercriminals flying under the radar. The security tools the companies had designed to detect such breaches did as expected; it’s just that the breaches slipped through the cracks under a deluge of other incidents.
So how do you find the needle in the haystack to ensure your company stays out of the news?
Identify and Prioritize Top Cyber Risks
Working from the end result backwards, the goal is to identify an enterprise’s top cyber risks, prioritize those risks based on likelihood and impact, and provide supporting information required by human analysts to vet identified risks or orchestrate automated action. Identifying and prioritizing top cyber risks requires a detailed understanding of many aspects of an organization’s computing and business environment, and then applying the right analytics to make sense of it all. In other words, context is key. Some critical data points include (note that required optimal data sources vary by use case):
- User activity and security telemetry, including DLP, authentication, web activity, cloud activity, application activity, etc.
- Organizational hierarchies and user attributes
- Indicators of attack and compromise from endpoint and perimeter protection tools
- IT asset and architecture information, including organizational ownership and the relationship of machines to applications, business value and loss impact
- Host and application configuration, patch, vulnerability scan and penetration test results
- Threat intelligence feeds
- Industry standard sources of vulnerabilities, asset descriptions, operating system patches, etc.
There are many methods and tools available for mixing and matching the above data points to achieve desired results. For most organizations, though, this process is akin to attempting to solve a Rubik’s cube puzzle with half of the colors missing while wearing a blindfold under water.
UEBA to the Rescue
Enter User Entity Behavioral Analytics (UEBA), with the emphasis on behavior. Behavior analytics is not a new concept (the financial services industry has used it for decades to identify fraud), but it remains a hot buzzword, especially in cyber-security land, where the volume and pace of attacks are ever increasing and qualified human analysts are in short supply. At nearly every cyber-security conference it seems that most vendors tout some flavor of these capabilities. However, not all algorithms and methodologies are created equal, and more importantly, they do not deliver the same results. For cyber-risk analytics and UEBA platforms, the process and functional goal is all about gathering security data from various sources, then analyzing it to enable accelerated response via human analysts or automated action.
That’s why a solution like Symantec’s Information Centric Analytics (ICA) and others can be a real game changer. ICA is a risk analytics solution that integrates with other security tools while automatically enriching data by filling gaps. In other words, it supplements security events with contextual data that support the involved machine learning and risk analytics before being augmented with inputs based on human analysts’ decisions. This enables ICA to flip the remediation script by shifting from an incident-by-incident approach to a risk-based approach.
Rather than triaging incidents as they come in or action them based on severity, ICA leverages behavior analysis and machine learning to prioritize incidents for review based on certain scenarios or user-risk ratings. By asking questions like, “How normal is this behavior for this user?” a security practitioner can quickly cut to the chase and identify infractions that should be investigated first, accelerating the process of finding that needle in the haystack. ICA also performs peer analysis, which analyzes the behavior of users who report to the same manager and those in the same organization or department to allow a thorough comparison of user actions.
Automation Through Machine Learning
Behavior analysis is only half the battle, however, as automation through machine learning is essential in cutting down incident volume to review. In ICA, this happens on two fronts: supervised and unsupervised machine learning. Unsupervised machine learning is handled by the behavior analysis component I described earlier—anomalies are automatically identified when compared to a user’s baseline behavior and events are scored for normality. Supervised machine learning trains the tool to stop flagging more benign events, thus reducing the system’s overall noise. For example, an analyst can review a set of incidents with similar criteria and decide they represent a broken business process based on a policy violation pattern. The tool learns from the action of classifying incidents as acceptable and excludes future similar events, removing them from a practitioner’s line of sight and decreasing overall workload.
The Icing on the Cake: Moving Toward Zero Trust
The icing on the cake is that by leveraging these techniques to optimize and simplify the security remediation process, companies put themselves several steps closer to Zero Trust. In fact, the glue that holds the fundamental pillars together in the Zero Trust Extended Maturity Model are denoted by Forrester as automation, orchestration, visibility and analytics. UEBA and automation are central components of those requirements, and when used with other Symantec products to adhere to the “Never trust, always verify” mantra of Zero Trust, they give security teams the advantage they need to stay ahead of the game by rapidly centralizing and prioritizing potential threats.
Key Takeaways
The complex nature of today’s data breach methods, coupled with the volume of security tool alerting, has made it extremely challenging for organizations to isolate and visualize multi-vector risks. Uncovering attacks and accelerating investigations can be aided by leveraging technologies that employ UEBA and automation best practices, such as Symantec’s ICA, while at the same time putting organizations on a path towards Zero Trust. To survive the flood of attacks and the deluge of event traffic associated with your security practice, it’s all about using the lifelines that keep your head well above water.
About Enterprise Studio
Enterprise Studio by HCLTech provides IT solutions and services to thousands of customers across many industries. We specialize in working with organizations that are challenged with optimizing the potential of their technologies and transformations.
We use a blend of deep technical skills, advisory and consulting expertise to help you navigate the complexities that come with competing in an inter-connected world. By addressing IT challenges while enabling business and cultural transformation, your IT and business teams can achieve better, more predictable outcomes with long-lasting benefits.
Our global team across North America, Europe, Latin America, India, Australia, and Asia has a relentless focus on customer centricity. Our team’s expertise, built upon decades of experience across digital advisory consulting, IT business management (ITBM), cybersecurity, and AIOps, can help you move quickly from idea to value as you build, integrate and adopt resilient enterprise solutions.