Stories in the media regarding the latest disturbing news about advanced persistent threats (APTs) are now a common sight, affecting well-known institutions, companies and government agencies. The frequency of these threats highlights that even the best IT network perimeter defenses are unable to prevent these intrusions. Proxies, firewalls, VPN, antivirus and malware tools can all help to prevent attacks, but today’s threats can conquer these traditional security tools in minutes.
Craig Richardson for Data-Informed discusses how decision makers are concluding that big data analytics is an important part of their security outlook. By responding quickly in this way when an alarm is sounded, an organization has a much better chance of preventing the loss or compromise of critical information.
This is most certainly not an easy task. A smart attacker might lie low within a company’s system for weeks, or even months, concealing his movements within a busy network, waiting for the moment to pounce. Insider jobs are also increasingly hard to spot, with only a small part of their daily activity nefarious in intent. Both kinds of attacker can effectively hide in plain sight.
The key to reducing these threats is to understand what is happening early on in an attack, evaluating the degree of risk at any one time, and having a plan to counter any untoward activity. Using big data analytics to detect attacks involves three inter-related and ongoing steps:
Identify the risks: Information-driven cyber intelligence means the ability to assess, manage and minimize risks.
Identifying threats and assessing the vulnerability of critical assets and operations specific to the threat helps organizations to reduce those risks, strategically prioritizing risk-reduction measures.
- Use data analytics to detect threats and unusual behavior: Data analytics can monitor patterns across an entire network, mapping normal activity and detecting previously unidentified APTs as they manifest themselves within the system. Analysts are alerted to seemingly aberrant behavior and connections for further investigation. IT and information security are alerted as quickly as the behavior is noted, and effective response is deployed.
- Prepare and activate an incident response plan: Once the alarm has been sounded, organizations have to act quickly to prevent the loss of critical information. Having an incident response plan guides the actions of the organization and ensures it can close the gap between attack and defense and prevent the danger from spreading.
No organization in the world is immune from targeted cyber-attacks such as APTs, and the prevalence and sophistication of such attacks is increasing. This means that there is no excuse for not investing in traditional security measures. However, the threats that companies face now means that bigger fences on their own won’t work. Smart tools are needed inside. Analytics can detect, identify, and manage cyber risk to mitigate potential threats and stop attackers quickly.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”