Just What Exactly Does ‘Anomalous Behavior’ Look Like? The Question Stumps CISOs
August 16, 2013 Leave a comment
- IT security organizations need to rethink their approach to finding, prioritizing and remediating more sophisticated attacks that easily bypass existing defenses. One way is by better understanding what is normal and not normal from both a coarse view of aggregated network flow data as well as a more granular view of specific users and their activities. Those with elevated privileges and access to sensitive customer or financial data are a good starting point.
- CISOs looking at more advanced security analytics solutions should put their prospective vendors’ feet to the fire when it comes to the heavy lifting of greater levels of integration and automated analytics.
I had the good fortune to attend the IT Security Analyst and CISO Forum in London back in June, and there were a number of interesting themes that came out of the roundtable discussion with CISOs from a handful of large enterprises, government and non-government entities. In responding to a question on what their major challenges were today, one theme really stayed with me: when it comes to analyzing activity on systems and networks for anomalous behavior, “we don’t know what normal looks like,” said one CISO.
Given the failure of legacy pattern matching to detect stealthier malware and the rise of the advanced persistent threats or targeted attacks, the security industry has responded by bringing together more contextual information that spans the protocol stack. Data on applications, user identity, location, endpoints, network activity, security intelligence feeds and even time of day is gathered, correlated and presented for the security professional to analyze. Vendors from a range of market segments including anti-malware, firewall, IPS and SIEM, as well as startups with promising sandbox technology, are adding their voices to the chorus, with promises of faster time to detection of those attacks that get through traditional defenses. The problem with many of these solutions is that they are rather complex to operate, and they require advanced training in order to realize their value. This comes at a time when CISOs bemoan a shortage of skilled security professionals.
The good news is that security organizations, at least within larger enterprises, are responding to this new challenge by changing their tactics and carving out new groups dedicated to malware intelligence and analytics and standing up incident detection and response operations. CISOs are beginning to recognize that understanding abnormal activity patterns is a continuous process. At least a few vendors are working to deliver greater levels of automation and intelligence to their solutions, including both heavyweights such as IBM with its Q1 Labs acquisition, HP with its ArcSight acquisition and smaller pure plays such as Lancope and Arbor Networks. Such automation and improved intelligence takes the burden off IT security professionals so that they can respond faster to real threats and prioritize which incidents to investigate based on risk information.