In the same way that big data has been leveraged in other security fields, such as in monitoring for unusual credit card transactions and adding behavioural analysis to online authentication, bringing out the big-data guns can transform security to turn the tables on cybercriminals and, hopefully, sleep a little better at night.
Endpoint security is broken
I was recently talking to a security engineer who outlined the problems he had been facing. He and his colleague were responsible for all the cybersecurity at their organisation. They were finding that their traditional antivirus was not preventing all types of attacks; they needed protection against previously unknown attacks, and the management interface of their security system was clunky and awkward, with problematic updates that frequently broke other parts of the system. With just the two of them on the team, they were struggling.
In fact, what my friend was describing were the most common challenges facing security teams today and they stem from the fact that the threat environment has evolved to the point where many organisations feel backed into a corner.
Traditional antivirus approaches have become less effective in the face of fileless attacks. They suffer a circular flaw because they rely on having met the threat before; only those attacks that carry a malicious signature are automatically recognised and stopped. This reactive approach is ineffective against attacks that infiltrate through trusted applications and only start to wreak havoc once they have penetrated the network perimeter.
A related challenge is the lack of context provided by traditional AV solutions. Operating in a vacuum, we assume that if we don’t see something getting blocked, there’s nothing to worry about. But that’s not the case; fileless attacks do leave a footprint, but we need to analyse the unfiltered data to see the malicious patterns in order to respond.
Finally, the challenge of management. As defences have been built piecemeal, with different tools added at different times, system tools have become siloed, all managed from different consoles and struggling to share information.
It’s like trying to box with one hand tied behind your back and one eye closed – you can’t see half of the attacks coming which means you can’t defend against them.
The big guns of big data
The average organisation has thousands of distributed endpoints that are all part of a potential attack surface. With mobile working and the adoption of the cloud for business processes, the perimeter has changed. By invoking the power of the cloud to analyse every single piece of event data coming from those endpoints, we can build up a comprehensive picture of what is normal activity and what is suspicious. That gives us the context we need to work out that what looks like. For example, a benign case of a browser being opened and Flash launching, becomes a threat when Flash then launches PowerShell. That is not normal behaviour and that’s where we step in to stop that attack in its tracks.
Using predictive, cloud-based security we can converge detection with prevention and response, sniffing out and neutralising malicious activity and instantaneously learning and sharing information so no one else under protection need fall prey to the same attack strategy. Defence updates based on real-time threat intelligence can be rolled out swiftly and, because the same dataset is used throughout, detection, prevention, and response work together seamlessly – no chance of “breaking” another part of the system with an update.
There are more advantages to this approach. It’s a proactive tactic that takes away the advantage from the attacker. Traditional AV focuses on detecting malware at the point of delivery – if it is missed at that point, the attacker has gained access and is free to complete their exploit and gain intelligence for future incursions. With predictive security, all activity is under scrutiny Philall the time. This means that when attackers test their attack idea against the system, we know about it and can defend against it. This wipes out the advantage of R&D testing for attackers. Attacks can be detected and mitigated at more points in the kill chain, giving cybercriminals far less room for manoeuvre.
Cloud-based security also offers another key benefit that security teams welcome: time. Bringing endpoint security into the cloud under a single management console dramatically reduces the management time needed to maintain defence. That time can be invested in more valuable, proactive activities, such as threat-hunting. The context provided by the cloud analytics gives us a greater understanding of the threat environment and helps us be smarter about how we evolve our own defences.
As it turns, my friend deployed cloud-based predictive security, giving “a couple sighs of relief” when it was up and running. So, thanks to the power of big data and the cloud, at least one security specialist is sleeping a little better now.