Johna Till Johnson, CEO at Nemertes Research, advises organizations to focus on Advanced Security Analytics (ASA), an emerging category of security products and services that provide real-time insight into—and, increasingly, proactive responses to—situations that indicate a potential breach, compromise, or vulnerability. ASA includes the existing categories of security event/incident management and monitoring (SEIM) by adding analytical capabilities often derived from Big Data technologies. It also includes earlier categories such as forensics and Intrusion Detection Systems/ Intrusion Prevention Systems (IDS/IPS). These capabilities include User Behavioral Analytics (UBA), which can detect, report on, and take action against anomalous behavior by users (whether systems or humans), and visualization.
"Why do you need ASA and, particularly, UBA," she asks. "To protect against multi-factor threats and, in particular, witting or unwitting attacks from within the network. Users may misbehave and/or their systems may be compromised. Often, the only way to detect advanced persistent threats is to detect anomalous behavior, which is challenging if you don't know what normal behavior is. With UBA, you don't need to know what's normal—the system figures it out for you."
Johnson recommends ASA tools from vendors such as Agiliance, Blue Coat, Damballa, FireEye, Guidance, HP ArcSight, IBM, Lastline, LogRhythm, McAfee/Intel, and Splunk.
People Are the Key
"If you want true security in an enterprise of any size, you must start with people," says Eddie Block, CISO, Department of Information Resources at the State of Texas. "People are the ones that configure the firewalls, update anti-virus software, patch servers, and the other myriad tasks that ensure breaches and intrusions are minimized. People with technical skills and understanding have an eye for anomalies and a natural sense of curiosity. They're the ones on the front line reviewing logs, who see something odd in a log file, and then have the compulsion to figure out what happened. Many of the large-scale breaches experienced over the past few months could have been discovered earlier with the right people. There's nothing new, flashy, or sexy about log files, but if you truly want to understand your security posture, put a curious person in front of a log server."
"My vote for security's best option is collaboration tools. Yes, we have plenty of silver bullets; what we really need are more tools that allow communication and collaboration for our distributed workforce. We need to capture tribal knowledge to make staff more effective. We need to invest in tools that make staff more agile," says Rick Holland, principal security/risk analyst at Forrester Research.
Guy Delp, director of Cybersecurity and Advanced Analytics at Lockheed Martin, believes the focus should be on hiring cybersecurity talent that can capitalize on existing investments and influence all aspects of the organization's security posture. He challenges companies to ask if network visibility issues should be addressed? Are there organizational stovepipes that hamper incident response? Are existing tools used to the fullest, and are open-source tools implemented within the infrastructure?
"When investing in key talent, consider three essential criteria: balance, adaptability, and influence," he says. "Knowing the technical aspects of the mission is not enough. Key talent must be leaders as well, sharing information, mentoring, motivating others, and getting their hands dirty (balance). The most successful superstars understand the technical and political aspects of their environment. Rapid change is likely, so quick learners will adapt best (adaptability). Security organizations do not operate in a vacuum. The most successful, key talent are those who can navigate across organizational boundaries to drive the results they need (influence)."
Frank Kim, CISO at the SANS Institute, believes security capabilities that detect attackers and anomalous activity are even more important in the face of advanced threats, which are determined to bypass traditional, preventative mechanisms. As a result, threat intelligence and robust information sharing are key aspects of modern cyber defense. But it’s not just about sharing indicators of compromise, it's also about advanced analytics and the ability to mine internal and external sources of data. Building a data science capability to intelligently analyze large amounts of information provides organizations with actionable information that allows security teams to respond more quickly.
"However, it’s not just about these technical capabilities," Kim says. "Having the right people with the right skills and expertise is key to appropriately protecting critical assets. It’s not the arrow, it’s the archer."
"Rather than endorsing a particular product or solution, I have lectured students in my data privacy class on the virtues of assembling an Incident Response Team," says Jill Bronfman, program director and adjunct professor of Law/Data Privacy for the Institute of Innovation Law at the University of California Hastings. "That is, a team of trained professionals to prevent (or at least mitigate) data security breaches and if/when such breaches occur, respond to them with all deliberate speed and attention."
Bronfman asserts that in cases which involve both employee and consumer information, such as healthcare and finance and/or corporate and personal data, companies are best served by a cross-functional team of security experts. She recommends establishing groups in advance that consist of legal, IT, CTO, CIO, human resources, risk management for insurance, public relations/marketing, consumer relations, regulatory/government, and relevant vendors—especially if they're involved in security—and then train them on an Incident Response Plan. Smaller companies could combine these functions in fewer people, but the key is to identify individuals responsible for each function and provide actionable checklists for when incidents occur.
Sartain is a freelancer writer. She can be reached at julesds@comcast.net
This story, "Top security tools in the fight against cybercrime" was originally published by Network World.