• United States




Traditional cyber solutions are the answer when used in the right way

Mar 13, 20186 mins
BudgetingData and Information SecurityNetwork Security

When it comes to cybersecurity, every investment counts.

data scientist analytics cybersecurity
Credit: Getty Images

A recent report by the White House Council of Economic Advisers revealed that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. A 2017 report, published by Accenture and the Ponemon Institute, said organizations are spending 23 percent more on cyber-crime than they spent last year, equaling $11.7 million, on average. Let’s face it. Cyber security, whether it’s investing in cyber technologies and manpower, responding to incidents, suffering losses from a breach, or managing post breach cleanup, is expensive.

As the explosion of devices and data flowing through them continues, in addition to cloud migration and the ever-growing sophistication of cyber-criminal operations, we don’t expect these costs to let up any time soon. Therefore, every investment counts. Each technology must be used to its fullest, not only to optimize dollars spent, but most importantly, to protect those assets that matter most to the organization.

Most enterprises have a set of traditional technologies such as data loss prevention, web proxies, endpoint protection, vulnerability scanners and more. Each one is good at what it was built to do, and serves an important purpose, yet we continue to see breaches due to missed threat alerts. That’s because the tools are not connected and lack context. They sit in siloes, generating alerts that are disconnected to the user and devices that connect the dots between them. That context is needed to determine if all those alerts tell a bigger story that must be prioritized, or if they are business-as-usual activities.

For example, analysts may receive a high-level alert from a web proxy if an employee visited a bad reputation website, but that does not necessarily mean there’s a threat in their environment. Analysts would not easily be able to connect the activity with the employee that was behind the IP address, endpoint events that may indicate malware, or beaconing activity that may indicate a command and control point.  Additionally, they would not know if it was unusual for that employee to visit that site, nor if it was unusual for the employee’s peers and overall team to visit it.

Nonetheless, analysts may treat the alert as an active threat, and potentially waste time investigating only to find out it was a false alarm. On the other hand, analysts may ignore the alert, assuming it was innocuous, only to discover that it was one indicator of many of a greater breach.  Or, maybe the employee typically visits the site as part of his personal social activities, which he happened to be doing at work that day, or maybe it is part of a nation state that has taken control of the company’s infrastructure.  There’s no way to tell from individual events from siloes, even if those events are pulled together in one place, like in a logger.  It’s all about integration and context.

So how can organizations optimize their existing security investments, reduce those false alarms and focus on the right prioritized set of alerts? They must first bring together those tools so that they talk to each other and tell a story, not just a flow of events.

Going back to the example above, if the data from the web proxy was brought together with data from an endpoint protection, authentication and data loss prevention tool, analysts would see the full picture of events. The web proxy would identify an employee visited a bad reputation website. The endpoint protection tool would see if malware was downloaded. The authentication tool would identify unusual authentication activity indicating a bad actor was trying to access sensitive information. And the data loss prevention tool would alert analysts that someone was trying to exfiltrate sensitive data.

Organizations must also integrate User and Entity Behavior Analytics (UEBA) with those tools to enable overwhelmed analysts to identify and prioritize only the most critical alerts. Machine learning is increasingly being used in UEBA platforms to identify and prioritize threats, while minimizing false alarms.  Machine learning comes in two main forms, unsupervised and supervised. On the unsupervised side, based on information that the UEBA tool already knows about the employee from their behavior and activities, it can determine if an event looks normal or abnormal for that user.

Going a step further, UEBA also compares that behavior to the person’s peers and overall business unit, to capture an even greater understanding if the event is indeed abnormal (this capability is especially useful when it comes to a new employee). On the supervised learning side, the system learns from how analysts classify events.  If marked business-as-usual, the UEBA tool knows not to flag that user behavior again in that situation, saving analysts from yet another alert that is not a threat to the organization.

Here’s an example of how integrating UEBA with traditional security tools makes them more effective and efficient. Let’s say a retailer’s SIEM logs the credentials of a user who works for their HVAC maintenance company is authenticating to systems with sensitive payment data, while at the same time, the endpoint protection tool is indicating unusual malware on machines related to that user ID, and DLP is showing encrypted files being emailed to what appears to be a personal Gmail account.

Viewed in isolation, the authentication activity would probably never get flagged, the endpoint events would lead to a cleansing of malware from a machine and the DLP events would get lost in the noise.  Connecting the dots between these events via the user ID showing unusual authentication behavior relative to him/herself and peers, events on machines that the user ID is typically associated with, and unusual DLP activity, would lead the analyst to see what was really going on, leading to the user getting deactivated and an investigation being initiated.

Many organizations have begun integrating security data and applying UEBA with their traditional cyber tools or are planning to do so soon. Cyber leaders are realizing it’s impossible for their limited team of analysts to tackle the volume of alerts coupled with amount of data flowing through countless devices and applications. They need something that brings data from their existing cyber tools together to allow them to see the forest from the trees and prioritize the alerts that are real and need immediate investigation.


Ryan Stolte founded Bay Dynamics in 2001, and he has since grown the company into a leading IT solution provider with a diverse portfolio of products and services. His breadth of experience assisting organizations optimize their IT and security processes, combined with his deep knowledge of analytics has provided the foundation for the company’s solution Risk Fabric, which helps companies measure, communicate and reduce cyber risk.

Ryan has spent more than 20 years of his career solving big data problems with analytics. Starting in the early days of the Web, his first user behavior analytics challenges were to find innovative ways to recommend products to end users and drive sales on e-commerce sites. With the proliferation of the connected enterprise, his attention turned to new analytics challenges with internal IT, cloud, and cybersecurity initiatives.

With two decades of experience in user behavior analytics, a portfolio of analytics patents, and an unparalleled leadership team, Ryan is focused on finding innovative ways to provide smart cybersecurity solutions for the enterprise.

The opinions expressed in this blog are those of Ryan Stolte and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.