The first myth – “My IT Defences are Impenetrable” was challenged at every turn by the security vendors in the massive RSA Expo Halls. The recent Verizon and Ponemon Institute cyber crime reports, clearly show that IT defences are being penetrated on a regular basis, so it’s time to embrace the inevitable. Continuous Monitoring that provides rapid detection must become a part of your everyday IT security operations. Be from Missouri; show me we haven’t been penetrated!
Rapid detection is all about implementing a continuous sensor and measurement capability to produce the “tips and cues” that indicate a breach has occurred. The sensor capability can come in many forms, but one of the most prevalent and valuable forms is log files, especially with real-time or near real-time transactions. However, most system and vendor product logs tend to be one-dimensional, logging specific types of events for a specific product or application/service.
In the 1970’s and 1980’s, many organizations relied on large mainframe computers that were expensive to purchase, maintain, and upgrade with additional resources. As a result, the field of Computer System Performance emerged. Additionally, people quickly realized that it wasn’t the individual data, such as memory usage, disk usage, page swapping rates, etc. that was important, but the relationship between the individual events. This led to the application of tools such as linear regression analysis, Kiviat graphs, and queuing theory to draw out relationships and truly understand how to quickly measure and tune computer performance.
The rapid analysis of system logging data is no different. The relationships between the various types of log file entries produce the real insight into IT security behaviors and overall secure operations. Log entries from multiple capabilities such as Identity and Access Management (IAM), Security Incident and Event Management (SIEM), Service Providers, Network Traffic Analysis, and others need to be correlated to provide a significantly improved “situational awareness” of user, system, and security behaviors. This requires technologies and techniques that can discover unknown/hidden behaviors, relationships, and patterns – just like the tools that were applied for Computer System Performance Analysis.
The technologies and techniques for rapid detection of security breaches include semantic web, data analytics, machine learning, logic analysis of security assertions/policies, as examples. Many of these tools have been successfully applied in other domains such as finance, transportation, and eCommerce and are just now starting to be applied to IT Security. They can provide deep insight into cyber threats such as identity credential misuse (i.e., use of stolen credentials, insider threats, identity imposters, etc.), “Shadow IT”, toxic combinations of security assertions/policies, and others. Even though these technologies and techniques are just now starting to be applied to build continuous monitoring tools for rapid detection of cyber threats, they are maturing very quickly and need to be seriously considered as the future of IT security defence.
Don’t let out of date cultural norms such as there is too much data to be analysed, the relationships are too subtle to be modelled, it is just too hard to find the “needle in the haystack,” or it will take too long to provide the required “tips and cues, get in your way of learning about what can be done today and in the future. In the 1970’s and 1980’s engineers struggled with what to do with the massive amounts of data collected by computer performance measurement tools. In 2015, there are tools and techniques that allow for near real time analysis and correlation of those massive amounts of data for rapid detection of cyber threats. They Will Get In – your job is to quickly discover them and limit the damage before they spread their roots deep into your IT and data assets.