Insights From InfoSec Part 2: Analytics-Driven Security

Last week PAC attended InfoSec, Europe’s largest information security industry event. Despite the wide variety of provider types in attendance, a number of consistent topics emerged from PAC’s discussions at the event. PAC blogged about the first of these key themes, the Internet of Things (IoT), last week (see link here), and now the focus falls on the rush to harness analytics in support of security awareness.

After IoT, analytics was the second most common theme PAC encountered at InfoSec. Whether the ‘engine’ for a cloud platform or deployed ‘on-prem’, for clients large and small, security is increasingly expressed as a question of analytics.

But why is this? Although separated from InfoSec by several time zones, Robert Youngjohns, executive vice president and general manager at HP Software, expressed the answer in his address to the HP Discover conference in Las Vegas as a way for customers to be proactive in their approach to security, using operational data to establish if a breach has occurred so as to shut it down before sensitive information can be exfiltrated. In Youngjohns’ words: “The first thing you have to do is understand what's coming. This is about being proactive, about identifying vulnerabilities and assessing your capabilities.”

This all sounds logical, but why is security analytics a buzzword now? After all, analytics is by no means an emerging technology, and even the term ‘big data’ has been with us for several years now. A big part of the answer is that the evolution of technology, particularly the use of machine data (i.e. the data that is automatically generated by computer and application processes), can provide organisations with a picture of what is occurring within their IT environments. In tandem, the growing power of analytics (yes, including big data) allows this data to be processed more rapidly, even in real time.

At the same time, the traditional ‘defend and protect’ model for approaching security is becoming out-dated. Using the analogy of IT security being like a castle, the traditional approach to security has been to build higher, thicker walls and to dig deeper moats by adding new technologies (e.g. end-point protection, anti-virus, corporate firewalls, SIEM etc.). And yet the hordes of threat actors and malware keep coming, at ever-growing levels of sophistication and volume. At the same time, the corporate IT environment around which security teams have sought to erect these walls and moats have dissolved thanks to technology trends such as mobility, BYOD, cloud computing and now IoT.

The challenge for security teams to secure the IT perimeter, to the extent that this even still exists, has reached a critical point. In fact, it has reached a level at which organisations typically can no longer keep up, to the point that the majority of organisations acknowledge that it is now a question of when, rather than if, they are breached. As identified by PAC’s recent study looking at incident response (see link here), there is a call for a new approach to security, moving from ‘protect and defend’ to ‘detect and respond’.

To continue the castle analogy, instead of simply building castle walls and moats (which remain important and cannot be ‘abdicated’), the mediaeval security principality must now seek to erect lookout posts, retain mercenaries and employ informants. In this way, they can identify and close those breaches before marauding threat actors can steal the crown jewels.

Given this evolution, perhaps the castle analogy is now out-dated, and a police state has become more apt? Indeed, one CISO PAC spoke to yesterday at Eskenzi’s IT Security Forum stated that their default position is to trust no-one! This highlights a further issue (one for a later blog perhaps): the importance of the user within the equation. If security is becoming more like a police state, then CISOs need to ensure that they educate their users of the importance of the measures that they take and collaborate with them to enable rather than obstruct their individuality and innovation within a secure framework.

So what does this mean for analytics-driven security? A look at the numbers behind the threat landscape is indicative. As reported in Symantec’s new annual threat report (see here), released yesterday, the number of new website malware variants grew by over 0.3 billion in 2014, representing a 26% increase. When one considers that this is just one vector of attack, and just the examples that Symantec detected, the scale of the problem begins to emerge. This highlights one of the reasons why machine data-led, analytics-driven security is becoming such a hot topic: instead of ‘signature-based’ security, identifying and ‘blacklisting’ malware individually, new technologies allow for a ‘behavioural’ approach to security.

So what is this term ‘behaviour-based security’ that is being bandied around by vendors to describe their analytics tools? Simply put, by crunching all of the machine data that emerges from within organisations’ IT environments, analytical tools can build a ‘baseline’ view of typical activity within that activity. What is more, having established this view of typical operations, any ‘anomalous behaviour’ by any user, application, device, etc (what Splunk, for example, terms a ‘risk object’) can be identified. But again, what is new here? After all, isn’t this what has been promised by SIEM vendors for years? It is no coincidence that SIEM vendors are making developments in behavioural analytics, as in many ways this finally allows them to deliver on those promises.

Consequently, it is no great surprise that SIEM vendors such as LogRhythm and Splunk that PAC spoke with at InfoSec highlight their capabilities to this end as the use of analytics can help to reduce the number of ‘false positives’ produced, allowing security teams to focus on the real problems. Typically, SIEM has acted as a ‘flashing light’, churning out alerts of incidents on the network, but at volumes which security teams struggle to make sense of (as per the infamous Target breach). However, by harnessing analytical engines, security vendors can rise above simply providing alerts to achieve another buzzword for vendors: context. This means that they can help security teams to prioritise their response to incidents by determining their potential severity and/or impact based on the customer-specific reality of the IT environment.

These developments in threat detection are being met and matched in other areas of the security value chain, particularly in vulnerability management. For example, the likes of Firemon, Outpost 24 and Qualys highlighted to PAC at InfoSec the steps that they have taken to harness analytical engines that can help organisations to identify vulnerabilities on a similar basis, allowing real-time insight into the security posture. Although a true ‘unified security’ approach is not yet reality, developments such as these raise hopes that this could one day be achievable. Now if we could just ask the threat actors to stop evolving one step ahead of the market . . .