Breaches and data theft seem all too common today, and sadly all too easy. Customers can be severely impacted, penalties can be significant, and the news cycle can be merciless. This is forcing organizations to think beyond their existing controls and evolve their security operations to mitigate the loss of the perimeter and counter sophisticated attack vectors. Fortunately, there is a new, transformative approach to cybersecurity that can help.
Security operations are increasingly emphasizing the use of all available data for a more resilient and automated infrastructure. Organizations are finding that applying advanced analytics to cybersecurity can yield much-needed breakthroughs in incident response and threat detection, while significantly improving their security posture.
This is Data-Driven Security
It is an approach that emphasizes the collection and analysis of the streams of security data that underpin all digital infrastructures. It complements an organization’s controls, strengthens existing processes, and transforms security operations.
- Reduced case workload and alert fatigue by lowering false positives through learning algorithms
- Ability to detect privilege escalation, dormant privileged accounts, and other identity-based attack vectors
- Improved breach detection by alerting on anomalous activities that deviate from the norm, thereby reducing dependence on static rule sets
- Proactive detection of insider threat by automating analysis of data to detect credential misuse, entitlement aggregation, data exfiltration, and other indicators of malicious behavior
- Securing access to the cloud through automated monitoring of activity logs to identify anomalous access attempts, data loss, and potential breaches
- Enabling faster incident response and security reporting through rapid search capabilities across multi-year historical security data
An Infrastructure That Can Keep Up
Realizing these benefits requires technical infrastructure that can support the storage and analysis of diverse, historical, and real-time data. The major elements are:
- Security Data Lake: This is defined as a platform with ingest and storage backend that is a source of correlated and enriched security data. It includes identity, access, and activity data. The data lake helps organizations understand the security data available to them through analytics and machine learning.
- Machine Learning: This is a sophisticated method that uses an algorithmic approach to: identify anomalous user, host and network activity; identify outlier access; and help an organization reduce dependence on static threat signatures.
- Integration with Identity and Risk: Integrating activity data with identity enables richer analytics, and integrating analytics results with risk management processes enables more accurate risk scoring.
The Need for Digital Intelligence
“Today’s digital infrastructure is complex, and virtually impossible to protect without a digital intelligence apparatus,” said Sila Security Lead Arvind Iyer. “This is what analytics can do for you. It lets you be proactive, and proactive detection enables quicker response and recovery.”
The goal is to bring together security, analytics and machine learning to create a solution that works. This usually happens through four stages:
- Determine current state challenges, gather security requirements, develop an implementation roadmap, and identity suitable technology platforms/vendors.
- Setup and configure a security data lake, which is a foundational component for analytics and a source of correlated and enriched security data that includes identity, access, and activity data.
- Implement analytics and machine learning models and tools to enable better detection, response, and recovery.
- Integrate with existing risk management processes to enable risk scoring at the identity and entity level for more effective risk-based alerts.
Analytics is transforming every industry today, unlocking valuable insights and opening new opportunities. It can also be a breakthrough approach for cybersecurity.