TO CATCH A CYBER THIEF: FIGHTING SECURITY THREATS IN REAL TIME
Like just about everything else in today’s socially networked universe, enterprise IT security has evolved dramatically in recent years. Security teams are charged with safeguarding vital information in a world connected by a continuous and rapid exchange of an ever-expanding deluge of information. And among those logging on are a growing number of cyber criminals launching continuous and sophisticated threats to organizations worldwide. Investigations have become extremely complex with the need to be able to analyze data with context and speed.
No longer can organizations rely on traditional perimeter security and firewalls to protect their vital information assets. Nor can they effectively combat today’s sophisticated cyber criminals by analyzing threats after the fact. In fact, those that think they can in today’s complex cyber world are just sticking their heads in the sand.
Thankfully, Big Data tools and platforms have evolved to meet these new threats head on, armed with real-time data gathering and high speed security analytics.
EMC is in the midst of developing a new enterprise security strategy using these components. We realized this necessity the hard way. Last year’s attack at RSA, The Security Division of EMC, inspired us to make EMC security stronger than it has ever been.
The key question is how do we gather all this massive information and then analyze it on a real-time basis. To solve this problem, EMC IT leveraged Greenplum’s Unified Analytics Platform and NetWitness for Logs to gather and ingest security data at blazing speeds and at the same time do real-time analytics. This provides us with critical near real-time visibility with an ability to explore large data sets.
We still have more work to do. In the months ahead, we will build on this foundation by further leveraging tools and modeling by our data scientists to move towards a predictive enterprise. Such skilled people are needed to analyze this new onslaught of security data to pick out patterns and create models that can help us spot or even predict cyber attacks and stay ahead of the game.
Our understanding is that most organizations are not yet at the point of developing a security analytics strategy. However, there is a growing realization that such an effort is crucial in the face of today’s constant security threats.
Just consider a few recent statistics:
-In the U.S.government sector alone, reports of security incidents among 24 key federal agencies have increased by more than 650 percent in just the past five years.[i]
– In 2010, 88 percent of Fortune 500 companies experienced Botnet activity (spyware) associated with their domains.[ii]
The first step in combating such threats, of course, is for organizations to acknowledge that traditional security tactics aren’t adequate. Next, they need to define and prioritize their vital information assets and build an end-to-end security strategy. One of the critical steps in this journey is to build an agile security analytics framework that can provide a real-time view of the social enterprise built on a scalable, reliable platform.
We want to leverage this platform to catch anomalies when they occur to help us identify potential threats.
To do this, we provide access to our resources based on multiple criteria that are the basis for a risk calculation: the higher score you have, the greater access. We look at three areas:
- Source score = who you are, what you are using
- Destination score = where you are going, the type of data and your role
- Risk score = risk history, intelligence and user awareness
The idea is that by looking at this information we can start to develop patterns around people, their devices and usage patterns and can spot changes and abnormalities that may signal a security problem.
For example, sales person Joe always connects from XYZ location on a specific device. Suddenly Joe is connecting from ABC location with a new device. That is an abnormality in Joe’s profile. In response, we can either deny Joe access or perhaps step up authentication on this session to ensure that this is indeed Joe.
Or let’s say Joe remotely connects to our system using VPN, but at the same time he is seen badging into an EMC location. How can he be in two places at the same time?
Or he VPNs into EMC from an IP located inBoston, and then, a short time later, connects by VPN from a Phoenix IP. Quick calculation will determine if Joe, based on average land speed, could have made it toPhoenixin the time between the two connections.
Among the biggest challenges in creating a successful real-time security analysis strategy is employing the right mix of people. It requires a combination of those with security skills and data science.
It also requires agility and striking a balance between maintaining security safeguards and sharing information as a social enterprise in today’s networked world. (Read what Branden Williams of RSA has to say about Big Data vs. Social Engineering.) Statistics show that an individual falls victim to a cyber crime every 19 seconds.[iii] . Each data breach cost those targeted an average of $5.5 million in 2011, according to the 2011 Cost of Data Breach Study:United States compiled by the Ponemon Institute.
Potential damage to your organization’s reputation from security breaches is much harder to quantify.
If you catch a cyber attack after the fact, you’ve already lost what you weren’t supposed to lose. If you catch it before it happens, the likelihood of you preventing or stopping it is pretty high. If you don’t even acknowledge that the threat exists, then there’s no telling what you’re losing to cyber thieves.
As incredible as it may seem, the No. 1 issue for enterprises today is not how to act upon a security issue. Most of them don’t know there is an issue going on.
EMC is committed to being out in front of the cyber threats pervading today’s Big Data world. Your organization should be too.
(For more insights into security challenges read the white paper How Will CIOs Meet Growing Security Threats?)