Traditional cyber solutions are the answer when used in the right way

A recent report by the White House Council of Economic Advisers revealed that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. A 2017 report, published by Accenture and the Ponemon Institute, said organizations are spending 23 percent more on cyber-crime than they spent last year, equaling $11.7 million, on average. Let’s face it. Cyber security, whether it’s investing in cyber technologies and manpower, responding to incidents, suffering losses from a breach, or managing post breach cleanup, is expensive.

As the explosion of devices and data flowing through them continues, in addition to cloud migration and the ever-growing sophistication of cyber-criminal operations, we don’t expect these costs to let up any time soon. Therefore, every investment counts. Each technology must be used to its fullest, not only to optimize dollars spent, but most importantly, to protect those assets that matter most to the organization.

Most enterprises have a set of traditional technologies such as data loss prevention, web proxies, endpoint protection, vulnerability scanners and more. Each one is good at what it was built to do, and serves an important purpose, yet we continue to see breaches due to missed threat alerts. That’s because the tools are not connected and lack context. They sit in siloes, generating alerts that are disconnected to the user and devices that connect the dots between them. That context is needed to determine if all those alerts tell a bigger story that must be prioritized, or if they are business-as-usual activities.

For example, analysts may receive a high-level alert from a web proxy if an employee visited a bad reputation website, but that does not necessarily mean there’s a threat in their environment. Analysts would not easily be able to connect the activity with the employee that was behind the IP address, endpoint events that may indicate malware, or beaconing activity that may indicate a command and control point.  Additionally, they would not know if it was unusual for that employee to visit that site, nor if it was unusual for the employee’s peers and overall team to visit it.

Nonetheless, analysts may treat the alert as an active threat, and potentially waste time investigating only to find out it was a false alarm. On the other hand, analysts may ignore the alert, assuming it was innocuous, only to discover that it was one indicator of many of a greater breach.  Or, maybe the employee typically visits the site as part of his personal social activities, which he happened to be doing at work that day, or maybe it is part of a nation state that has taken control of the company’s infrastructure.  There’s no way to tell from individual events from siloes, even if those events are pulled together in one place, like in a logger.  It’s all about integration and context.

So how can organizations optimize their existing security investments, reduce those false alarms and focus on the right prioritized set of alerts? They must first bring together those tools so that they talk to each other and tell a story, not just a flow of events.

Going back to the example above, if the data from the web proxy was brought together with data from an endpoint protection, authentication and data loss prevention tool, analysts would see the full picture of events. The web proxy would identify an employee visited a bad reputation website. The endpoint protection tool would see if malware was downloaded. The authentication tool would identify unusual authentication activity indicating a bad actor was trying to access sensitive information. And the data loss prevention tool would alert analysts that someone was trying to exfiltrate sensitive data.

Organizations must also integrate User and Entity Behavior Analytics (UEBA) with those tools to enable overwhelmed analysts to identify and prioritize only the most critical alerts. Machine learning is increasingly being used in UEBA platforms to identify and prioritize threats, while minimizing false alarms.  Machine learning comes in two main forms, unsupervised and supervised. On the unsupervised side, based on information that the UEBA tool already knows about the employee from their behavior and activities, it can determine if an event looks normal or abnormal for that user.

Going a step further, UEBA also compares that behavior to the person’s peers and overall business unit, to capture an even greater understanding if the event is indeed abnormal (this capability is especially useful when it comes to a new employee). On the supervised learning side, the system learns from how analysts classify events.  If marked business-as-usual, the UEBA tool knows not to flag that user behavior again in that situation, saving analysts from yet another alert that is not a threat to the organization.

Here’s an example of how integrating UEBA with traditional security tools makes them more effective and efficient. Let’s say a retailer’s SIEM logs the credentials of a user who works for their HVAC maintenance company is authenticating to systems with sensitive payment data, while at the same time, the endpoint protection tool is indicating unusual malware on machines related to that user ID, and DLP is showing encrypted files being emailed to what appears to be a personal Gmail account.

Viewed in isolation, the authentication activity would probably never get flagged, the endpoint events would lead to a cleansing of malware from a machine and the DLP events would get lost in the noise.  Connecting the dots between these events via the user ID showing unusual authentication behavior relative to him/herself and peers, events on machines that the user ID is typically associated with, and unusual DLP activity, would lead the analyst to see what was really going on, leading to the user getting deactivated and an investigation being initiated.

Many organizations have begun integrating security data and applying UEBA with their traditional cyber tools or are planning to do so soon. Cyber leaders are realizing it’s impossible for their limited team of analysts to tackle the volume of alerts coupled with amount of data flowing through countless devices and applications. They need something that brings data from their existing cyber tools together to allow them to see the forest from the trees and prioritize the alerts that are real and need immediate investigation.