Nir Polak is CEO and Co-founder of Exabeam.
There’s one thing every heavily publicized data breach has in common: It wasn’t uncovered until it was too late. The breach at the U.S. Office of Personnel Management (OPM) in February was still active more than three months after security workers learned of it. In fact, many of them have another thing in common, preventative security measures weren’t enough to stop them.
Prevention has always been a major component of security. Firewalls stand at the perimeter of sensitive, private networks and attempt to keep every malicious file out. As the OPM breach and countless other disasters prove, though, it’s just not enough. More than 21 million records were compromised before the breach was detected in the first place. Prevention-focused initiatives have a place in cybersecurity, but there needs to be more. As we move into 2016 and confront new threats, detection needs to become an equally significant component of enterprise IT security standards. Like so many other parts of the enterprise, the answer to improving the approach to network security and eliminating disasters comes in the form of analytics derived from big data.
Prevention Isn’t Enough
Security without a method of stopping attacks already in progress makes it impossible for businesses to stay in front of cybercriminals. Too often, security teams and businesses only hear of attacks after a third party informs them of a possible issue. Instances of data movement, suspicious remote logins and others start to pile up, and it’s clear something is wrong. Without a clear picture tying their relationship to each other, it can take weeks or even months for a problem to be detected and even longer for a resolution.
Beyond that, it has become increasingly difficult for most solutions designed for prevention to keep up with cybercriminals. Threats evolve every day, with hackers staying well ahead of the software and solutions designed to protect networks. A few small adjustments to the code of a virus or a misstep by an employee, such as downloading a tainted attachment, and all of that time spent trying to prevent disasters is undone, especially without anything in place to detect cybercriminals after they enter a network.
Simplifying Detection By Monitoring for Suspicious Behaviors
User behavior analytics (UBA) solutions monitor all network activity to help security teams identify issues as they’re developing. Instead of learning of a six-month-old breach from a third party, companies are alerted to the issues as they happen. By analyzing all users on a network, UBA tools develop a clear understanding of typical behavior. Whenever an account strays from those established norms, it’s marked as an anomaly. Companies currently employ security incident and event management (SIEM) systems that pull log data of behaviors, but still spew out thousands of alerts a day. When supplemented with UBA tools, security workers know what to look for and they can identify issues promptly and address them before they compromise any more data.
UBA tools’ algorithms learn from every bit of activity on a network. As they gather and assess more information, they become even more effective methods of a holistic security protocol. This is increasingly important because attackers evolve and change course even after they’ve been detected. Solutions designed to spot just one or a few forms of anomalous behavior won’t necessarily be able to keep track of an intruder. By automating detection and analysis, teams are able to respond quickly and focus on the major problems. Digging through the countless alerts they receive every day is inefficient and doesn’t typically stop attacks. When security teams know which alerts are the most dangerous, they can put all of their resources into the most problematic issues.
Businesses’ investments in SIEM solutions have helped both IT and security teams do their jobs more effectively. Working UBA into the equation makes SIEM more useful, leveraging the data from repositories to grow even smarter and sensitive to ongoing attacks. UBA presents profound analysis of any and all suspicious users, detailing their every move through a network. This gives security teams the ability to identify every piece of data likely associated with a breach and take the steps required to resolve incidents with greater accuracy. So much of this work is currently done manually, wasting time and inevitably resulting in inaccuracies.
Advancing security protocol with better detection capability through UBA solutions has quickly become a competitive necessity. When these issues persist, companies struggle, but, more importantly, customers take their business elsewhere.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.